Common Weakness Enumeration

CWE-321

Allowed

Use of Hard-coded Cryptographic Key

Abstraction: Variant · Status: Draft

The product uses a hard-coded, unchangeable cryptographic key.

503 vulnerabilities reference this CWE, most recent first.

GHSA-HWF7-8GR2-W4P2

Vulnerability from github – Published: 2026-01-16 03:30 – Updated: 2026-06-04 09:30
VLAI
Details

Delta Electronics DIAView has multiple vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T03:15:58Z",
    "severity": "CRITICAL"
  },
  "details": "Delta Electronics DIAView has multiple vulnerabilities.",
  "id": "GHSA-hwf7-8gr2-w4p2",
  "modified": "2026-06-04T09:30:34Z",
  "published": "2026-01-16T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62581"
    },
    {
      "type": "WEB",
      "url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf"
    },
    {
      "type": "WEB",
      "url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Use%20of%20Hard-coded%20Cryptographic%20Key%20(CVE-2025-62581)_v1.1.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWR4-F3G6-5MMP

Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2024-09-25 03:30
VLAI
Details

IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T01:15:44Z",
    "severity": "CRITICAL"
  },
  "details": "IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information.",
  "id": "GHSA-hwr4-f3g6-5mmp",
  "modified": "2024-09-25T03:30:36Z",
  "published": "2024-09-25T03:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46612"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46612.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Thecosy/iceCMS?tab=readme-ov-file"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HX74-4WMC-FWVF

Vulnerability from github – Published: 2023-09-21 15:30 – Updated: 2026-02-04 23:20
VLAI
Summary
Duplicate Advisory: EVE Has Partially Predetermined Vault Key
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-wc42-fcjp-v8vq. This link is maintained to preserve external references.

Original Description

Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo".

This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys").

This makes the key a lot weaker.

This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue.

Roll an update that enforces the full 32bytes key usage.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/eve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20220310190112-c0c966dc31e2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-04T23:20:37Z",
    "nvd_published_at": "2023-09-21T14:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-wc42-fcjp-v8vq. This link is maintained to preserve external references.\n\n### Original Description\nDue to the implementation of \"deriveVaultKey\", prior to version 7.10, the generated vault key\nwould always have the last 16 bytes predetermined to be \"arfoobarfoobarfo\".\n\nThis issue happens because \"deriveVaultKey\" calls \"retrieveCloudKey\" (which will always\nreturn \"foobarfoobarfoobarfoobarfoobarfo\" as the key), and then merges the 32byte\nrandomly generated key with this key (by takeing 16bytes from each, see \"mergeKeys\").\n\nThis makes the key a lot weaker.\n\nThis issue does not persist in devices that were initialized on/after version 7.10, but devices\nthat were initialized before that and updated to a newer version still have this issue.\n\n\n\nRoll an update that enforces the full 32bytes key usage.",
  "id": "GHSA-hx74-4wmc-fwvf",
  "modified": "2026-02-04T23:20:37Z",
  "published": "2023-09-21T15:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43637"
    },
    {
      "type": "WEB",
      "url": "https://asrg.io/security-advisories/cve-2023-43637"
    },
    {
      "type": "WEB",
      "url": "https://asrg.io/security-advisories/vault-key-partially-predetermined"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: EVE Has Partially Predetermined Vault Key",
  "withdrawn": "2026-02-04T23:20:37Z"
}

GHSA-J3PQ-62HG-9X25

Vulnerability from github – Published: 2026-06-12 21:31 – Updated: 2026-06-12 21:31
VLAI
Details

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T19:16:26Z",
    "severity": "CRITICAL"
  },
  "details": "Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system\u2019s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.",
  "id": "GHSA-j3pq-62hg-9x25",
  "modified": "2026-06-12T21:31:43Z",
  "published": "2026-06-12T21:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28742"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J4F3-JW82-8MRW

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). An unchangeable, factory-set key is included in the 900 MHz transmitter firmware.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-20T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). An unchangeable, factory-set key is included in the 900 MHz transmitter firmware.",
  "id": "GHSA-j4f3-jw82-8mrw",
  "modified": "2022-05-13T01:36:05Z",
  "published": "2022-05-13T01:36:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9649"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-208-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J6CH-Q7WX-85M6

Vulnerability from github – Published: 2025-07-23 00:30 – Updated: 2025-10-02 18:30
VLAI
Details

A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could allow the retrieval of hardcoded cryptographic keys. HP has addressed the issue in the latest software update.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-23T00:15:24Z",
    "severity": "MODERATE"
  },
  "details": "A potential security vulnerability has been\nidentified in the Poly Clariti Manager for versions prior to 10.12.1. The\nvulnerability could allow the retrieval of hardcoded cryptographic keys. HP has\naddressed the issue in the latest software update.",
  "id": "GHSA-j6ch-q7wx-85m6",
  "modified": "2025-10-02T18:30:56Z",
  "published": "2025-07-23T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43483"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_12781425-12781447-16/hbsbpy04037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J6V4-3F83-JR3W

Vulnerability from github – Published: 2026-06-26 15:32 – Updated: 2026-06-26 15:32
VLAI
Details

Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T15:16:40Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Backdoor in Enable CORS \u003c= 2.0.3 versions.",
  "id": "GHSA-j6v4-3f83-jr3w",
  "modified": "2026-06-26T15:32:15Z",
  "published": "2026-06-26T15:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54833"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/enable-cors/vulnerability/wordpress-enable-cors-plugin-2-0-3-backdoor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J752-CJCJ-W847

Vulnerability from github – Published: 2025-04-15 14:17 – Updated: 2025-04-23 15:09
VLAI
Summary
Dpanel's hard-coded JWT secret leads to remote code execution
Details

Summary

The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.

Details

The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.

PoC

The core code snippet is shown below:

import jwt

def generate_jwt(appname):

    payload = {
        "SECRET_KEY":"SECRET_VALUE",
    }
    print("appname:", appname)
    print("payload:", str(payload))
    token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm="HS256")
    return token

appname = "SECRET_KEY"
token = generate_jwt(appname)
print("url token:", token)

Impact

Attackers who successfully exploit this vulnerability can write arbitrary files to the host machine's file system, and all users with Dpanel versions less than 1.6.1 are affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/donknap/dpanel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-453",
      "CWE-547"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-15T14:17:25Z",
    "nvd_published_at": "2025-04-15T20:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.\n\n### Details\nThe Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.\n\n\n### PoC\nThe core code snippet is shown below:\n```python\nimport jwt\n\ndef generate_jwt(appname):\n\n    payload = {\n        \"SECRET_KEY\"\uff1a\"SECRET_VALUE\",\n    }\n    print(\"appname:\", appname)\n    print(\"payload:\", str(payload))\n    token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm=\"HS256\")\n    return token\n\nappname = \"SECRET_KEY\"\ntoken = generate_jwt(appname)\nprint(\"url token:\", token)\n```\n\n### Impact\nAttackers who successfully exploit this vulnerability can write arbitrary files to the host machine\u0027s file system, and all users with Dpanel versions less than 1.6.1 are affected.",
  "id": "GHSA-j752-cjcj-w847",
  "modified": "2025-04-23T15:09:48Z",
  "published": "2025-04-15T14:17:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/donknap/dpanel/security/advisories/GHSA-j752-cjcj-w847"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30206"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/donknap/dpanel"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3612"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dpanel\u0027s hard-coded JWT secret leads to remote code execution"
}

GHSA-J754-RJHQ-MJ6J

Vulnerability from github – Published: 2023-01-18 09:30 – Updated: 2023-01-25 21:30
VLAI
Details

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability. An attacker, with the knowledge of the hard-coded credentials, could potentially exploit this vulnerability to login to the system to gain admin privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34462"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-18T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability. An attacker, with the knowledge of the hard-coded credentials, could potentially exploit this vulnerability to login to the system to gain admin privileges.",
  "id": "GHSA-j754-rjhq-mj6j",
  "modified": "2023-01-25T21:30:19Z",
  "published": "2023-01-18T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34462"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000204995/dsa-2022-273-dell-secure-connect-gateway-policy-manager-security-update-for-multiple-proprietary-code-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J7CX-968M-V284

Vulnerability from github – Published: 2025-09-26 03:31 – Updated: 2025-09-26 06:30
VLAI
Details

Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-26T01:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV.",
  "id": "GHSA-j7cx-968m-v284",
  "modified": "2025-09-26T06:30:48Z",
  "published": "2025-09-26T03:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60250"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Bin4ry/UniPwn"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=45381590"
    },
    {
      "type": "WEB",
      "url": "https://spectrum.ieee.org/unitree-robot-exploit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Prevention schemes mirror that of hard-coded password storage.

No CAPEC attack patterns related to this CWE.