CVEs classified under CWE-321, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2024-30207 — CVSS 10.0 (critical): A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating…
CVE-2014-5419 — CVSS 10.0 (critical): GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches…
CVE-2024-35344 — CVSS 9.9 (critical): Certain Anpviz products contain a hardcoded cryptographic key stored in the firmware of the device. This affects IPC-D250, IPC-D260…
CVE-2026-28742 — CVSS 9.8 (critical): Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this…
CVE-2025-67112 — CVSS 9.8 (critical): Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood)…
CVE-2025-67305 — CVSS 9.8 (critical): In RUCKUS Network Director (RND) < 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical…
CVE-2026-26335 — CVSS 9.8 (critical): Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored…
CVE-2026-25894 — CVSS 9.8 (critical): FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an…
CVE-2026-22906 — CVSS 9.8 (critical): User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration…
CVE-2026-22586 — CVSS 9.8 (critical): Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center…
CVE-2025-15016 — CVSS 9.8 (critical): Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to…
CVE-2025-34256 — CVSS 9.8 (critical): Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512…
CVE-2025-12599 — CVSS 9.8 (critical): Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVE-2025-59407 — CVSS 9.8 (critical): The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow…
CVE-2025-34217 — CVSS 9.8 (critical): Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) contain an undocumented 'printerlogic'…
CVE-2025-8625 — CVSS 9.8 (critical): The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to…
CVE-2025-54807 — CVSS 9.8 (critical): The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the…
CVE-2025-57174 — CVSS 9.8 (critical): An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other…
CVE-2025-41702 — CVSS 9.8 (critical): The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can…
CVE-2025-55619 — CVSS 9.8 (critical): Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this…
CVE-2025-30206 — CVSS 9.8 (critical): Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded…
CVE-2024-46612 — CVSS 9.8 (critical): IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information.
CVE-2024-5296 — CVSS 9.8 (critical): D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass…
CVE-2023-32169 — CVSS 9.8 (critical): D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass…
CVE-2019-19752 — CVSS 9.8 (critical): nvOC through 3.2 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes…
CVE-2024-2413 — CVSS 9.8 (critical): Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the…
CVE-2023-48392 — CVSS 9.8 (critical): Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated…
CVE-2023-3632 — CVSS 9.8 (critical): Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz - Homework Helper App allows Authentication…
CVE-2022-2641 — CVSS 9.8 (critical): Horner Automation’s RCC 972 with firmware version 15.40 has a static encryption key on the device. This could allow an attacker to…
CVE-2022-0664 — CVSS 9.8 (critical): Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1.
CVE-2021-32520 — CVSS 9.8 (critical): Use of hard-coded cryptographic key vulnerability in QSAN Storage Manager allows attackers to obtain users’ credentials and related…
CVE-2021-27389 — CVSS 9.8 (critical): A vulnerability has been identified in Opcenter Quality (All versions < V12.2), QMS Automotive (All versions < V12.30). A private sign key…
CVE-2026-50091 — CVSS 9.1 (critical): Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded…
CVE-2026-31986 — CVSS 9.1 (critical): Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended…
CVE-2026-5426 — CVSS 9.1 (critical): Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to…
CVE-2025-63289 — CVSS 9.1 (critical): Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the…
CVE-2019-19753 — CVSS 9.1 (critical): SimpleMiningOS through v1259 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes…
CVE-2025-44963 — CVSS 9.0 (critical): RUCKUS Network Director (RND) before 4.5 allows spoofing of an administrator JWT by an attacker who knows the hardcoded value of a certain…
CVE-2025-30095 — CVSS 9.0 (critical): VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear…
CVE-2025-5353 — CVSS 8.8 (high): A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt stored SQL…
CVE-2025-22455 — CVSS 8.8 (high): A hardcoded key in Ivanti Workspace Control before version 10.19.0.0 allows a local authenticated attacker to decrypt stored SQL…
CVE-2025-26340 — CVSS 8.8 (high): A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2024-33891 — CVSS 8.8 (high): Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService…
CVE-2026-45433: This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote…