CWE-321
AllowedUse of Hard-coded Cryptographic Key
Abstraction: Variant · Status: Draft
The product uses a hard-coded, unchangeable cryptographic key.
503 vulnerabilities reference this CWE, most recent first.
GHSA-4G38-9X5C-PQ58
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within libopcuaclient.so. The issue results from hardcoding crytographic keys within the product. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-20610.
{
"affected": [],
"aliases": [
"CVE-2023-39482"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:14Z",
"severity": "MODERATE"
},
"details": "Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within libopcuaclient.so. The issue results from hardcoding crytographic keys within the product. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-20610.",
"id": "GHSA-4g38-9x5c-pq58",
"modified": "2024-05-03T03:30:56Z",
"published": "2024-05-03T03:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39482"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1064"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4G7J-2H92-XXP4
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-01-06 00:01Dell PowerPath Management Appliance, versions 3.2, 3.1, 3.0 P01, 3.0, and 2.6, use hard-coded cryptographic key. A local high-privileged malicious user may potentially exploit this vulnerability to gain access to secrets and elevate to gain higher privileges.
{
"affected": [],
"aliases": [
"CVE-2021-43587"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T17:15:00Z",
"severity": "HIGH"
},
"details": "Dell PowerPath Management Appliance, versions 3.2, 3.1, 3.0 P01, 3.0, and 2.6, use hard-coded cryptographic key. A local high-privileged malicious user may potentially exploit this vulnerability to gain access to secrets and elevate to gain higher privileges.",
"id": "GHSA-4g7j-2h92-xxp4",
"modified": "2022-01-06T00:01:22Z",
"published": "2021-12-22T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43587"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000194083/dsa-2021-260"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4GCF-523Q-9GMP
Vulnerability from github – Published: 2023-03-21 21:30 – Updated: 2025-02-26 18:30MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1.
{
"affected": [],
"aliases": [
"CVE-2023-0391"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-21T20:15:00Z",
"severity": "HIGH"
},
"details": "MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1.",
"id": "GHSA-4gcf-523q-9gmp",
"modified": "2025-02-26T18:30:37Z",
"published": "2023-03-21T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0391"
},
{
"type": "WEB",
"url": "https://www.bleepingcomputer.com/news/security/cloudpanel-installations-use-the-same-ssl-certificate-private-key"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-cloudpanel-shared-certificate-vulnerability-and-weak-installation-procedures"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4M32-CJV7-F425
Vulnerability from github – Published: 2025-11-14 21:52 – Updated: 2026-05-12 13:31Summary
AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin.
Details
AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported here, enabling arbitrary command execution on the target host.
Impact
All publicly accessible AstrBot instances are vulnerable.
For more information, please see: CVE-2025-55449-AstrBot-RCE
Patch
This vulnerability was first reported on 2025-06-21 and was patched on the same day (2025-06-21).
The vulnerability was publicly disclosed on 2025-11-14. Prior to public disclosure, monitoring from AstrBot Cloud indicated that fewer than 2% of deployed instances were still running the affected version. Therefore, this disclosure is not expected to have a significant impact on existing active instances.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "astrbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55449"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-345",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-14T21:52:23Z",
"nvd_published_at": "2026-05-08T07:16:28Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin.\n\n### Details\n\nAstrBot uses a [hard-coded JWT signing key](https://github.com/AstrBotDevs/AstrBot/blob/v3.5.16/astrbot/core/__init__.py), which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported [here](https://github.com/AstrBotDevs/AstrBot/blob/master/astrbot/dashboard/routes/plugin.py), enabling arbitrary command execution on the target host.\n\n### Impact\n\nAll publicly accessible AstrBot instances are vulnerable.\n\nFor more information, please see: [CVE-2025-55449-AstrBot-RCE](https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE)\n\n### Patch\n\nThis vulnerability was first reported on **2025-06-21** and was patched on the **same day** (2025-06-21).\n\nThe vulnerability was publicly disclosed on **2025-11-14**. Prior to public disclosure, monitoring from AstrBot Cloud indicated that fewer than 2% of deployed instances were still running the affected version. Therefore, this disclosure is not expected to have a significant impact on existing active instances.",
"id": "GHSA-4m32-cjv7-f425",
"modified": "2026-05-12T13:31:11Z",
"published": "2025-11-14T21:52:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-4m32-cjv7-f425"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55449"
},
{
"type": "WEB",
"url": "https://github.com/AstrBotDevs/AstrBot/commit/d03e9fb90a0921a1bd10cf480bdacc9aaa246472"
},
{
"type": "PACKAGE",
"url": "https://github.com/AstrBotDevs/AstrBot"
},
{
"type": "WEB",
"url": "https://github.com/AstrBotDevs/AstrBot/releases/tag/v3.5.18"
},
{
"type": "WEB",
"url": "https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "AstrBot is vulnerable to RCE with hard-coded JWT signing keys"
}
GHSA-4P9F-9FV4-QG64
Vulnerability from github – Published: 2025-03-19 06:31 – Updated: 2025-03-19 06:31SmartOS, as used in Triton Data Center and other products, has static host SSH keys in the 60f76fd2-143f-4f57-819b-1ae32684e81b image (a Debian 12 LX zone image from 2024-07-26).
{
"affected": [],
"aliases": [
"CVE-2025-30234"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-19T05:15:41Z",
"severity": "HIGH"
},
"details": "SmartOS, as used in Triton Data Center and other products, has static host SSH keys in the 60f76fd2-143f-4f57-819b-1ae32684e81b image (a Debian 12 LX zone image from 2024-07-26).",
"id": "GHSA-4p9f-9fv4-qg64",
"modified": "2025-03-19T06:31:54Z",
"published": "2025-03-19T06:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30234"
},
{
"type": "WEB",
"url": "https://security.tritondatacenter.com/tps-2025-002"
},
{
"type": "WEB",
"url": "https://smartos.topicbox.com/groups/smartos-discuss/Ta6f13072e6bedddc-M3702e993edd7d6ce8d78dfc8"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2025/03/13/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4PVM-5X6H-F3QP
Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-01-14 15:30A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.
{
"affected": [],
"aliases": [
"CVE-2024-50564"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T14:15:33Z",
"severity": "LOW"
},
"details": "A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.",
"id": "GHSA-4pvm-5x6h-f3qp",
"modified": "2025-01-14T15:30:54Z",
"published": "2025-01-14T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50564"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-216"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4RC5-7V2H-GQ36
Vulnerability from github – Published: 2024-08-08 00:31 – Updated: 2024-08-08 15:31Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.
{
"affected": [],
"aliases": [
"CVE-2024-6890"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-07T23:15:41Z",
"severity": "CRITICAL"
},
"details": "Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.",
"id": "GHSA-4rc5-7v2h-gq36",
"modified": "2024-08-08T15:31:30Z",
"published": "2024-08-08T00:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6890"
},
{
"type": "WEB",
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V2G-76QR-8GVJ
Vulnerability from github – Published: 2026-05-26 21:32 – Updated: 2026-05-26 21:32There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access)
An unauthenticated remote attacker can access configured databases in a DIAView project.
{
"affected": [],
"aliases": [
"CVE-2026-9642"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T21:16:45Z",
"severity": "CRITICAL"
},
"details": "There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access) \n\nAn unauthenticated remote attacker can access configured databases in a DIAView project.",
"id": "GHSA-4v2g-76qr-8gvj",
"modified": "2026-05-26T21:32:01Z",
"published": "2026-05-26T21:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9642"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2026-44"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V3J-7FCP-C89C
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-10-27 19:00The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.
{
"affected": [],
"aliases": [
"CVE-2021-38461"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-22T12:15:00Z",
"severity": "HIGH"
},
"details": "The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.",
"id": "GHSA-4v3j-7fcp-c89c",
"modified": "2022-10-27T19:00:32Z",
"published": "2022-05-24T19:18:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38461"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4V4W-44Q3-WW8W
Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-10-09 18:30Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES‑256‑CBC encryption/decryption of the “SaaS Id” (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
{
"affected": [],
"aliases": [
"CVE-2025-34234"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-29T21:15:37Z",
"severity": "CRITICAL"
},
"details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES\u2011256\u2011CBC encryption/decryption of the \u201cSaaS Id\u201d (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key.\u00a0This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.",
"id": "GHSA-4v4w-44q3-ww8w",
"modified": "2025-10-09T18:30:27Z",
"published": "2025-09-29T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34234"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-key"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-hardcoded-encryption-private-keys"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.