Common Weakness Enumeration

CWE-321

Allowed

Use of Hard-coded Cryptographic Key

Abstraction: Variant · Status: Draft

The product uses a hard-coded, unchangeable cryptographic key.

503 vulnerabilities reference this CWE, most recent first.

GHSA-4G38-9X5C-PQ58

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within libopcuaclient.so. The issue results from hardcoding crytographic keys within the product. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-20610.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:14Z",
    "severity": "MODERATE"
  },
  "details": "Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within libopcuaclient.so. The issue results from hardcoding crytographic keys within the product. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-20610.",
  "id": "GHSA-4g38-9x5c-pq58",
  "modified": "2024-05-03T03:30:56Z",
  "published": "2024-05-03T03:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39482"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1064"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4G7J-2H92-XXP4

Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-01-06 00:01
VLAI
Details

Dell PowerPath Management Appliance, versions 3.2, 3.1, 3.0 P01, 3.0, and 2.6, use hard-coded cryptographic key. A local high-privileged malicious user may potentially exploit this vulnerability to gain access to secrets and elevate to gain higher privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-21T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerPath Management Appliance, versions 3.2, 3.1, 3.0 P01, 3.0, and 2.6, use hard-coded cryptographic key. A local high-privileged malicious user may potentially exploit this vulnerability to gain access to secrets and elevate to gain higher privileges.",
  "id": "GHSA-4g7j-2h92-xxp4",
  "modified": "2022-01-06T00:01:22Z",
  "published": "2021-12-22T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43587"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000194083/dsa-2021-260"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4GCF-523Q-9GMP

Vulnerability from github – Published: 2023-03-21 21:30 – Updated: 2025-02-26 18:30
VLAI
Details

MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-21T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1.",
  "id": "GHSA-4gcf-523q-9gmp",
  "modified": "2025-02-26T18:30:37Z",
  "published": "2023-03-21T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0391"
    },
    {
      "type": "WEB",
      "url": "https://www.bleepingcomputer.com/news/security/cloudpanel-installations-use-the-same-ssl-certificate-private-key"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-cloudpanel-shared-certificate-vulnerability-and-weak-installation-procedures"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4M32-CJV7-F425

Vulnerability from github – Published: 2025-11-14 21:52 – Updated: 2026-05-12 13:31
VLAI
Summary
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
Details

Summary

AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin.

Details

AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported here, enabling arbitrary command execution on the target host.

Impact

All publicly accessible AstrBot instances are vulnerable.

For more information, please see: CVE-2025-55449-AstrBot-RCE

Patch

This vulnerability was first reported on 2025-06-21 and was patched on the same day (2025-06-21).

The vulnerability was publicly disclosed on 2025-11-14. Prior to public disclosure, monitoring from AstrBot Cloud indicated that fewer than 2% of deployed instances were still running the affected version. Therefore, this disclosure is not expected to have a significant impact on existing active instances.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "astrbot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-345",
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T21:52:23Z",
    "nvd_published_at": "2026-05-08T07:16:28Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin.\n\n### Details\n\nAstrBot uses a [hard-coded JWT signing key](https://github.com/AstrBotDevs/AstrBot/blob/v3.5.16/astrbot/core/__init__.py), which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported [here](https://github.com/AstrBotDevs/AstrBot/blob/master/astrbot/dashboard/routes/plugin.py), enabling arbitrary command execution on the target host.\n\n### Impact\n\nAll publicly accessible AstrBot instances are vulnerable.\n\nFor more information, please see: [CVE-2025-55449-AstrBot-RCE](https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE)\n\n### Patch\n\nThis vulnerability was first reported on **2025-06-21** and was patched on the **same day** (2025-06-21).\n\nThe vulnerability was publicly disclosed on **2025-11-14**. Prior to public disclosure, monitoring from AstrBot Cloud indicated that fewer than 2% of deployed instances were still running the affected version. Therefore, this disclosure is not expected to have a significant impact on existing active instances.",
  "id": "GHSA-4m32-cjv7-f425",
  "modified": "2026-05-12T13:31:11Z",
  "published": "2025-11-14T21:52:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-4m32-cjv7-f425"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/commit/d03e9fb90a0921a1bd10cf480bdacc9aaa246472"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AstrBotDevs/AstrBot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/releases/tag/v3.5.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AstrBot is vulnerable to RCE with hard-coded JWT signing keys"
}

GHSA-4P9F-9FV4-QG64

Vulnerability from github – Published: 2025-03-19 06:31 – Updated: 2025-03-19 06:31
VLAI
Details

SmartOS, as used in Triton Data Center and other products, has static host SSH keys in the 60f76fd2-143f-4f57-819b-1ae32684e81b image (a Debian 12 LX zone image from 2024-07-26).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-19T05:15:41Z",
    "severity": "HIGH"
  },
  "details": "SmartOS, as used in Triton Data Center and other products, has static host SSH keys in the 60f76fd2-143f-4f57-819b-1ae32684e81b image (a Debian 12 LX zone image from 2024-07-26).",
  "id": "GHSA-4p9f-9fv4-qg64",
  "modified": "2025-03-19T06:31:54Z",
  "published": "2025-03-19T06:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30234"
    },
    {
      "type": "WEB",
      "url": "https://security.tritondatacenter.com/tps-2025-002"
    },
    {
      "type": "WEB",
      "url": "https://smartos.topicbox.com/groups/smartos-discuss/Ta6f13072e6bedddc-M3702e993edd7d6ce8d78dfc8"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2025/03/13/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PVM-5X6H-F3QP

Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-01-14 15:30
VLAI
Details

A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T14:15:33Z",
    "severity": "LOW"
  },
  "details": "A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.",
  "id": "GHSA-4pvm-5x6h-f3qp",
  "modified": "2025-01-14T15:30:54Z",
  "published": "2025-01-14T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50564"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-216"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RC5-7V2H-GQ36

Vulnerability from github – Published: 2024-08-08 00:31 – Updated: 2024-08-08 15:31
VLAI
Details

Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-07T23:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.",
  "id": "GHSA-4rc5-7v2h-gq36",
  "modified": "2024-08-08T15:31:30Z",
  "published": "2024-08-08T00:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6890"
    },
    {
      "type": "WEB",
      "url": "https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4V2G-76QR-8GVJ

Vulnerability from github – Published: 2026-05-26 21:32 – Updated: 2026-05-26 21:32
VLAI
Details

There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access)

An unauthenticated remote attacker can access configured databases in a DIAView project.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T21:16:45Z",
    "severity": "CRITICAL"
  },
  "details": "There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access) \n\nAn unauthenticated remote attacker can access configured databases in a DIAView project.",
  "id": "GHSA-4v2g-76qr-8gvj",
  "modified": "2026-05-26T21:32:01Z",
  "published": "2026-05-26T21:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9642"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2026-44"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4V3J-7FCP-C89C

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-10-27 19:00
VLAI
Details

The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-22T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.",
  "id": "GHSA-4v3j-7fcp-c89c",
  "modified": "2022-10-27T19:00:32Z",
  "published": "2022-05-24T19:18:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38461"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4V4W-44Q3-WW8W

Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-10-09 18:30
VLAI
Details

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES‑256‑CBC encryption/decryption of the “SaaS Id” (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T21:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES\u2011256\u2011CBC encryption/decryption of the \u201cSaaS Id\u201d (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.",
  "id": "GHSA-4v4w-44q3-ww8w",
  "modified": "2025-10-09T18:30:27Z",
  "published": "2025-09-29T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34234"
    },
    {
      "type": "WEB",
      "url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
    },
    {
      "type": "WEB",
      "url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-key"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-hardcoded-encryption-private-keys"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Prevention schemes mirror that of hard-coded password storage.

No CAPEC attack patterns related to this CWE.