CWE-321
AllowedUse of Hard-coded Cryptographic Key
Abstraction: Variant · Status: Draft
The product uses a hard-coded, unchangeable cryptographic key.
503 vulnerabilities reference this CWE, most recent first.
GHSA-7M5H-J2PG-2JR2
Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2026-06-03 15:30Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.
{
"affected": [],
"aliases": [
"CVE-2020-6990"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-16T16:15:00Z",
"severity": "HIGH"
},
"details": "Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.",
"id": "GHSA-7m5h-j2pg-2jr2",
"modified": "2026-06-03T15:30:33Z",
"published": "2022-05-24T17:11:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6990"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RV4-G7QG-Q4MX
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32Logsign Unified SecOps Platform HTTP API Hard-coded Cryptographic Key Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the HTTP API. The issue results from using a hard-coded cryptographic key. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24170.
{
"affected": [],
"aliases": [
"CVE-2024-5722"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T20:15:10Z",
"severity": "HIGH"
},
"details": "Logsign Unified SecOps Platform HTTP API Hard-coded Cryptographic Key Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the HTTP API. The issue results from using a hard-coded cryptographic key. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24170.",
"id": "GHSA-7rv4-g7qg-q4mx",
"modified": "2024-11-22T21:32:16Z",
"published": "2024-11-22T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5722"
},
{
"type": "WEB",
"url": "https://support.logsign.net/hc/en-us/articles/19316621924754-03-06-2024-Version-6-4-8-Release-Notes"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-614"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7W44-CFPH-XHH9
Vulnerability from github – Published: 2025-02-11 09:30 – Updated: 2025-02-11 09:30SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software.
{
"affected": [],
"aliases": [
"CVE-2024-28989"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T08:15:30Z",
"severity": "MODERATE"
},
"details": "SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software.",
"id": "GHSA-7w44-cfph-xhh9",
"modified": "2025-02-11T09:30:33Z",
"published": "2025-02-11T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28989"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-5_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28989"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7W8F-Q3M3-PFJ7
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-01-31 21:32Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user. Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
{
"affected": [],
"aliases": [
"CVE-2023-2158"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-27T18:15:13Z",
"severity": "CRITICAL"
},
"details": "Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user\u0027s account by crafting a custom \"Remember Me\" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user.\u00a0\u00a0Score\u00a06.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C\n\n",
"id": "GHSA-7w8f-q3m3-pfj7",
"modified": "2025-01-31T21:32:44Z",
"published": "2023-07-06T19:24:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2158"
},
{
"type": "WEB",
"url": "https://community.synopsys.com/s/question/0D5Hr00006VdZblKAF/announcement-changelog-code-dx-202342"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-82VJ-CRX8-GVP9
Vulnerability from github – Published: 2024-07-17 18:31 – Updated: 2024-07-17 18:31A vulnerability in Cisco Intelligent Node (iNode) Software could allow an unauthenticated, remote attacker to hijack the TLS connection between Cisco iNode Manager and associated intelligent nodes and send arbitrary traffic to an affected device.
This vulnerability is due to the presence of hard-coded cryptographic material. An attacker in a man-in-the-middle position between Cisco iNode Manager and associated deployed nodes could exploit this vulnerability by using the static cryptographic key to generate a trusted certificate and impersonate an affected device. A successful exploit could allow the attacker to read data that is meant for a legitimate device, modify the startup configuration of an associated node, and, consequently, cause a denial of service (DoS) condition for downstream devices that are connected to the affected node.
{
"affected": [],
"aliases": [
"CVE-2024-20323"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-17T17:15:12Z",
"severity": "HIGH"
},
"details": "A vulnerability in Cisco Intelligent Node (iNode) Software could allow an unauthenticated, remote attacker to hijack the TLS connection between Cisco iNode Manager and associated intelligent nodes and send arbitrary traffic to an affected device.\n\n This vulnerability is due to the presence of hard-coded cryptographic material. An attacker in a man-in-the-middle position between Cisco iNode Manager and associated deployed nodes could exploit this vulnerability by using the static cryptographic key to generate a trusted certificate and impersonate an affected device. A successful exploit could allow the attacker to read data that is meant for a legitimate device, modify the startup configuration of an associated node, and, consequently, cause a denial of service (DoS) condition for downstream devices that are connected to the affected node.",
"id": "GHSA-82vj-crx8-gvp9",
"modified": "2024-07-17T18:31:00Z",
"published": "2024-07-17T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20323"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-inode-static-key-VUVCeynn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-83VR-2Q27-PM8V
Vulnerability from github – Published: 2026-01-24 03:30 – Updated: 2026-01-26 21:30Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
{
"affected": [],
"aliases": [
"CVE-2026-22586"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-24T01:15:50Z",
"severity": "CRITICAL"
},
"details": "Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.",
"id": "GHSA-83vr-2q27-pm8v",
"modified": "2026-01-26T21:30:36Z",
"published": "2026-01-24T03:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22586"
},
{
"type": "WEB",
"url": "https://help.salesforce.com/s/articleView?id=005299346\u0026type=1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-849R-HJ58-P84G
Vulnerability from github – Published: 2026-05-20 21:31 – Updated: 2026-05-20 21:31NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-24218"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T20:16:36Z",
"severity": "HIGH"
},
"details": "NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service.",
"id": "GHSA-849r-hj58-p84g",
"modified": "2026-05-20T21:31:30Z",
"published": "2026-05-20T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24218"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5835"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24218"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84C3-J8R2-MCM8
Vulnerability from github – Published: 2024-02-26 20:10 – Updated: 2024-02-26 20:10Problem
User sessions in the @nfid/embed SDK with Ed25519 keys are vulnerable due to a compromised private key 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe. This exposes users to potential loss of funds on ledgers and unauthorized access to canisters they control.
Solution
Using version >1.0.1 of @dfinity/auth-client and @dfinity/identity packages, or @nfid/embed >0.10.1-alpha.6 includes patched versions of the issue.
User sessions will be automatically fixed when they re-authenticate.
Why this happened
The DFINITY auth client library provides a function, Ed25519KeyIdentity.generate, for generating an Ed25519 key pair. This function includes an optional parameter to supply a 32-byte seed value, which will be utilized as the secret key. In cases where no seed value is provided, the library is expected to generate the secret key using secure randomness. However, a recent update of DFINITY libraries has compromised this assurance by employing an insecure seed for key pair generation.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@nfid/embed"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.0"
},
{
"fixed": "0.10.1-alpha.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-26T20:10:10Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Problem\nUser sessions in the @nfid/embed SDK with Ed25519 keys are vulnerable due to a compromised private key `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`. This exposes users to potential loss of funds on ledgers and unauthorized access to canisters they control.\n\n### Solution\nUsing version \u003e1.0.1 of @dfinity/auth-client and @dfinity/identity packages, or @nfid/embed \u003e0.10.1-alpha.6 includes patched versions of the issue.\n\nUser sessions will be automatically fixed when they re-authenticate.\n\n### Why this happened\nThe DFINITY auth client library provides a function, `Ed25519KeyIdentity.generate`, for generating an Ed25519 key pair. This function includes an optional parameter to supply a 32-byte seed value, which will be utilized as the secret key. In cases where no seed value is provided, the library is expected to generate the secret key using secure randomness. However, a recent update of DFINITY libraries has compromised this assurance by employing an insecure seed for key pair generation.\n\n### References\n[AgentJS CVE ](https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3)\n",
"id": "GHSA-84c3-j8r2-mcm8",
"modified": "2024-02-26T20:10:10Z",
"published": "2024-02-26T20:10:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3"
},
{
"type": "WEB",
"url": "https://github.com/internet-identity-labs/sdk-ts/security/advisories/GHSA-84c3-j8r2-mcm8"
},
{
"type": "PACKAGE",
"url": "https://github.com/internet-identity-labs/sdk-ts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "@nfid/embed has compromised private key due to @dfinity/auth-client producing insecure session keys"
}
GHSA-86F3-HF24-76Q4
Vulnerability from github – Published: 2022-02-22 19:40 – Updated: 2026-05-19 16:06Impact
There is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server, if you know the address and username of the admin. This effects the server (netmaker) component, and not clients.
Patches
This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. If you are running these versions, the fix is to perform the following:
- docker-compose down
- docker pull gravitl/netmaker:( version )
- docker-compose up -d
Additional Information
If you are running any other version, you will need to upgrade to one of these three versions. If you have a special circumstance that requires running a different version, let us know and we may be able to build a custom patch.
For more information
If you have any questions or comments about this advisory: * Email us at info@gravitl.com
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gravitl/netmaker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/gravitl/netmaker"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "0.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23650"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-22T19:40:23Z",
"nvd_published_at": "2022-02-18T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThere is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server, if you know the address and username of the admin. This effects the server (netmaker) component, and not clients.\n\n### Patches\nThis has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. If you are running these versions, the fix is to perform the following:\n\n1. docker-compose down\n2. docker pull gravitl/netmaker:( version )\n3. docker-compose up -d\n\n#### Additional Information\nIf you are running **any other version**, you will need to upgrade to one of these three versions. If you have a special circumstance that requires running a different version, let us know and we may be able to build a custom patch.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [info@gravitl.com](mailto:info@gravitl.com)",
"id": "GHSA-86f3-hf24-76q4",
"modified": "2026-05-19T16:06:11Z",
"published": "2022-02-22T19:40:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23650"
},
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87"
},
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee"
},
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080"
},
{
"type": "PACKAGE",
"url": "https://github.com/gravitl/netmaker"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use of Hard-coded Cryptographic Key in Netmaker"
}
GHSA-8PJ9-C2GQ-JHW8
Vulnerability from github – Published: 2024-02-06 21:30 – Updated: 2024-04-29 12:30A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-1258"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T21:15:08Z",
"severity": "LOW"
},
"details": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key\n . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.",
"id": "GHSA-8pj9-c2gq-jhw8",
"modified": "2024-04-29T12:30:34Z",
"published": "2024-02-06T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1258"
},
{
"type": "WEB",
"url": "https://note.zhaoj.in/share/XblX1My7jNV7"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.252997"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.252997"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.277418"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.