CWE WEAKNESSES / CWE-321
CWE-321
Use of Hard-coded Cryptographic Key
Variant EXPLOIT LIKELIHOOD: HIGH
What it is
The product uses a hard-coded, unchangeable cryptographic key.
Impact
| Access Control | Bypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data |
Mitigations
- [Architecture and Design] Prevention schemes mirror that of hard-coded password storage.
Real-world CVE examples
- CVE-2022-29960 — Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation
- CVE-2022-30271 — Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used by default.
- CVE-2020-10884 — WiFi router service has a hard-coded encryption key, allowing root access
- CVE-2014-2198 — Communications / collaboration product has a hardcoded SSH private key, allowing access to root account
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →