CWE-321
AllowedUse of Hard-coded Cryptographic Key
Abstraction: Variant · Status: Draft
The product uses a hard-coded, unchangeable cryptographic key.
503 vulnerabilities reference this CWE, most recent first.
GHSA-HWF7-8GR2-W4P2
Vulnerability from github – Published: 2026-01-16 03:30 – Updated: 2026-06-04 09:30Delta Electronics DIAView has multiple vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2025-62581"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T03:15:58Z",
"severity": "CRITICAL"
},
"details": "Delta Electronics DIAView has multiple vulnerabilities.",
"id": "GHSA-hwf7-8gr2-w4p2",
"modified": "2026-06-04T09:30:34Z",
"published": "2026-01-16T03:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62581"
},
{
"type": "WEB",
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf"
},
{
"type": "WEB",
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Use%20of%20Hard-coded%20Cryptographic%20Key%20(CVE-2025-62581)_v1.1.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWR4-F3G6-5MMP
Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2024-09-25 03:30IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information.
{
"affected": [],
"aliases": [
"CVE-2024-46612"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-25T01:15:44Z",
"severity": "CRITICAL"
},
"details": "IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information.",
"id": "GHSA-hwr4-f3g6-5mmp",
"modified": "2024-09-25T03:30:36Z",
"published": "2024-09-25T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46612"
},
{
"type": "WEB",
"url": "https://github.com/Lunax0/LogLunax/blob/main/icecms/CVE-2024-46612.md"
},
{
"type": "WEB",
"url": "https://github.com/Thecosy/iceCMS?tab=readme-ov-file"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HX74-4WMC-FWVF
Vulnerability from github – Published: 2023-09-21 15:30 – Updated: 2026-02-04 23:20Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wc42-fcjp-v8vq. This link is maintained to preserve external references.
Original Description
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo".
This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys").
This makes the key a lot weaker.
This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue.
Roll an update that enforces the full 32bytes key usage.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/eve"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220310190112-c0c966dc31e2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T23:20:37Z",
"nvd_published_at": "2023-09-21T14:15:11Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-wc42-fcjp-v8vq. This link is maintained to preserve external references.\n\n### Original Description\nDue to the implementation of \"deriveVaultKey\", prior to version 7.10, the generated vault key\nwould always have the last 16 bytes predetermined to be \"arfoobarfoobarfo\".\n\nThis issue happens because \"deriveVaultKey\" calls \"retrieveCloudKey\" (which will always\nreturn \"foobarfoobarfoobarfoobarfoobarfo\" as the key), and then merges the 32byte\nrandomly generated key with this key (by takeing 16bytes from each, see \"mergeKeys\").\n\nThis makes the key a lot weaker.\n\nThis issue does not persist in devices that were initialized on/after version 7.10, but devices\nthat were initialized before that and updated to a newer version still have this issue.\n\n\n\nRoll an update that enforces the full 32bytes key usage.",
"id": "GHSA-hx74-4wmc-fwvf",
"modified": "2026-02-04T23:20:37Z",
"published": "2023-09-21T15:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43637"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/cve-2023-43637"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/vault-key-partially-predetermined"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: EVE Has Partially Predetermined Vault Key",
"withdrawn": "2026-02-04T23:20:37Z"
}
GHSA-J3PQ-62HG-9X25
Vulnerability from github – Published: 2026-06-12 21:31 – Updated: 2026-06-12 21:31Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.
{
"affected": [],
"aliases": [
"CVE-2026-28742"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T19:16:26Z",
"severity": "CRITICAL"
},
"details": "Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system\u2019s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.",
"id": "GHSA-j3pq-62hg-9x25",
"modified": "2026-06-12T21:31:43Z",
"published": "2026-06-12T21:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28742"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J4F3-JW82-8MRW
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). An unchangeable, factory-set key is included in the 900 MHz transmitter firmware.
{
"affected": [],
"aliases": [
"CVE-2017-9649"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-20T16:29:00Z",
"severity": "MODERATE"
},
"details": "A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). An unchangeable, factory-set key is included in the 900 MHz transmitter firmware.",
"id": "GHSA-j4f3-jw82-8mrw",
"modified": "2022-05-13T01:36:05Z",
"published": "2022-05-13T01:36:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9649"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-208-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J6CH-Q7WX-85M6
Vulnerability from github – Published: 2025-07-23 00:30 – Updated: 2025-10-02 18:30A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could allow the retrieval of hardcoded cryptographic keys. HP has addressed the issue in the latest software update.
{
"affected": [],
"aliases": [
"CVE-2025-43483"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-23T00:15:24Z",
"severity": "MODERATE"
},
"details": "A potential security vulnerability has been\nidentified in the Poly Clariti Manager for versions prior to 10.12.1. The\nvulnerability could allow the retrieval of hardcoded cryptographic keys. HP has\naddressed the issue in the latest software update.",
"id": "GHSA-j6ch-q7wx-85m6",
"modified": "2025-10-02T18:30:56Z",
"published": "2025-07-23T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43483"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_12781425-12781447-16/hbsbpy04037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J6V4-3F83-JR3W
Vulnerability from github – Published: 2026-06-26 15:32 – Updated: 2026-06-26 15:32Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions.
{
"affected": [],
"aliases": [
"CVE-2026-54833"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T15:16:40Z",
"severity": "HIGH"
},
"details": "Unauthenticated Backdoor in Enable CORS \u003c= 2.0.3 versions.",
"id": "GHSA-j6v4-3f83-jr3w",
"modified": "2026-06-26T15:32:15Z",
"published": "2026-06-26T15:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54833"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/enable-cors/vulnerability/wordpress-enable-cors-plugin-2-0-3-backdoor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J752-CJCJ-W847
Vulnerability from github – Published: 2025-04-15 14:17 – Updated: 2025-04-23 15:09Summary
The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.
Details
The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.
PoC
The core code snippet is shown below:
import jwt
def generate_jwt(appname):
payload = {
"SECRET_KEY":"SECRET_VALUE",
}
print("appname:", appname)
print("payload:", str(payload))
token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm="HS256")
return token
appname = "SECRET_KEY"
token = generate_jwt(appname)
print("url token:", token)
Impact
Attackers who successfully exploit this vulnerability can write arbitrary files to the host machine's file system, and all users with Dpanel versions less than 1.6.1 are affected.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/donknap/dpanel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30206"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-453",
"CWE-547"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-15T14:17:25Z",
"nvd_published_at": "2025-04-15T20:15:39Z",
"severity": "CRITICAL"
},
"details": "### Summary\nThe Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.\n\n### Details\nThe Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.\n\n\n### PoC\nThe core code snippet is shown below:\n```python\nimport jwt\n\ndef generate_jwt(appname):\n\n payload = {\n \"SECRET_KEY\"\uff1a\"SECRET_VALUE\",\n }\n print(\"appname:\", appname)\n print(\"payload:\", str(payload))\n token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm=\"HS256\")\n return token\n\nappname = \"SECRET_KEY\"\ntoken = generate_jwt(appname)\nprint(\"url token:\", token)\n```\n\n### Impact\nAttackers who successfully exploit this vulnerability can write arbitrary files to the host machine\u0027s file system, and all users with Dpanel versions less than 1.6.1 are affected.",
"id": "GHSA-j752-cjcj-w847",
"modified": "2025-04-23T15:09:48Z",
"published": "2025-04-15T14:17:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/donknap/dpanel/security/advisories/GHSA-j752-cjcj-w847"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30206"
},
{
"type": "PACKAGE",
"url": "https://github.com/donknap/dpanel"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3612"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Dpanel\u0027s hard-coded JWT secret leads to remote code execution"
}
GHSA-J754-RJHQ-MJ6J
Vulnerability from github – Published: 2023-01-18 09:30 – Updated: 2023-01-25 21:30Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability. An attacker, with the knowledge of the hard-coded credentials, could potentially exploit this vulnerability to login to the system to gain admin privileges.
{
"affected": [],
"aliases": [
"CVE-2022-34462"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-18T07:15:00Z",
"severity": "HIGH"
},
"details": "Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability. An attacker, with the knowledge of the hard-coded credentials, could potentially exploit this vulnerability to login to the system to gain admin privileges.",
"id": "GHSA-j754-rjhq-mj6j",
"modified": "2023-01-25T21:30:19Z",
"published": "2023-01-18T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34462"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000204995/dsa-2022-273-dell-secure-connect-gateway-policy-manager-security-update-for-multiple-proprietary-code-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J7CX-968M-V284
Vulnerability from github – Published: 2025-09-26 03:31 – Updated: 2025-09-26 06:30Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV.
{
"affected": [],
"aliases": [
"CVE-2025-60250"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-26T01:15:37Z",
"severity": "MODERATE"
},
"details": "Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV.",
"id": "GHSA-j7cx-968m-v284",
"modified": "2025-09-26T06:30:48Z",
"published": "2025-09-26T03:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60250"
},
{
"type": "WEB",
"url": "https://github.com/Bin4ry/UniPwn"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=45381590"
},
{
"type": "WEB",
"url": "https://spectrum.ieee.org/unitree-robot-exploit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.