Total
219 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-29830 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-11-07 | 9.1 Critical |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z, and Motion Control Setting(GX Works3 related software) versions from 1.000A to 1.065T allows a remote unauthenticated attacker to disclose or tamper with sensitive information. As a result, unauthenticated attackers may obtain information about project files illegally. | ||||
| CVE-2022-29829 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-11-07 | 6.8 Medium |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, Motion Control Setting(GX Works3 related software) versions from 1.035M to 1.042U, and MT Works2 versions from 1.100E to 1.200J allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | ||||
| CVE-2025-30406 | 1 Gladinet | 1 Centrestack | 2025-11-05 | 9 Critical |
| Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config. | ||||
| CVE-2014-5419 | 1 Ge | 14 Multilink Ml1200, Multilink Ml1200 Firmware, Multilink Ml1600 and 11 more | 2025-11-05 | N/A |
| GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network. | ||||
| CVE-2025-48417 | 2025-11-03 | 6.5 Medium | ||
| The certificate and private key used for providing transport layer security for connections to the web interface (TCP port 443) is hard-coded in the firmware and are shipped with the update files. An attacker can use the private key to perform man-in-the-middle attacks against users of the admin interface. The files are located in /etc/ssl (e.g. salia.local.crt, salia.local.key and salia.local.pem). There is no option to upload/configure custom TLS certificates. | ||||
| CVE-2025-44963 | 2 Commscope, Ruckus | 2 Ruckus Network Director, Network Director | 2025-11-03 | 9 Critical |
| RUCKUS Network Director (RND) before 4.5 allows spoofing of an administrator JWT by an attacker who knows the hardcoded value of a certain secret key. | ||||
| CVE-2025-27674 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-11-03 | 9.8 Critical |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Hardcoded IdP Key V-2023-006. | ||||
| CVE-2014-5403 | 1 Hospira | 1 Mednet | 2025-11-03 | N/A |
| Hospira MedNet before 6.1 uses hardcoded cryptographic keys for protection of data transmission from infusion pumps, which allows remote attackers to obtain sensitive information by sniffing the network. | ||||
| CVE-2025-54471 | 1 Suse | 1 Neuvector | 2025-10-30 | 6.5 Medium |
| NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data. | ||||
| CVE-2024-33891 | 1 Delinea | 1 Secret Server | 2025-10-28 | 8.8 High |
| Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId attribute. | ||||
| CVE-2025-34500 | 1 Shuffle Master | 1 Deck Mate 2 | 2025-10-27 | N/A |
| Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface - typically via the unit's USB update port - can craft or modify firmware packages to execute arbitrary code as root, allowing persistent compromise of the device's integrity and deck randomization process. Physical or on-premises access remains the most likely attack path, though network-exposed or telemetry-enabled deployments could theoretically allow remote exploitation if misconfigured. The vendor confirmed that firmware updates have been issued to correct these update-chain weaknesses and that USB update access has been disabled on affected units. | ||||
| CVE-2025-46582 | 1 Zte | 1 Zxmp M721 | 2025-10-27 | 7.7 High |
| A private key disclosure vulnerability exists in ZTE's ZXMP M721 product. A low-privileged user can bypass authorization checks to view the device's communication private key, resulting in key exposure and impacting communication security. | ||||
| CVE-2025-59407 | 3 Flock Safety, Flocksafety, Google | 7 Bravo Edge Ai Compute Device, Bravo Edge Ai Compute Device, Detectionprocessing and 4 more | 2025-10-24 | 9.8 Critical |
| The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a Java Keystore (flock_rye.bks) along with its hardcoded password (flockhibiki17) in its code. The keystore contains a private key. | ||||
| CVE-2025-26340 | 1 Q-free | 1 Maxtime | 2025-10-24 | 8.8 High |
| A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests. | ||||
| CVE-2025-11609 | 2 Code-projects, Fabian | 2 Hospital Management System, Hospital Management System | 2025-10-23 | 3.7 Low |
| A flaw has been found in code-projects Hospital Management System 1.0. Affected is the function session of the component express-session. This manipulation of the argument secret with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used. | ||||
| CVE-2025-35052 | 1 Newforma | 2 Project Center, Project Center Server | 2025-10-22 | 5.3 Medium |
| Newforma Info Exchange (NIX) uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify paths to download files, potentially bypassing authentication and authorization, for example, the 'qs' parameter used in '/DownloadWeb/download.aspx'. This key is shared across NIX installations. NIX 2023.3 and 2024.1 limit the use of hard-coded keys. | ||||
| CVE-2016-4437 | 2 Apache, Redhat | 6 Aurora, Shiro, Fuse and 3 more | 2025-10-22 | 9.8 Critical |
| Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. | ||||
| CVE-2025-11899 | 1 Flowring | 1 Agentflow | 2025-10-21 | 8.1 High |
| Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability. | ||||
| CVE-2025-58426 | 1 Neojapan | 1 Desknet Neo | 2025-10-21 | N/A |
| desknet's NEO V4.0R1.0 to V9.0R2.0 contains a hard-coded cryptographic key, which allows an attacker to create malicious AppSuite applications. | ||||
| CVE-2024-58134 | 1 Mojolicious | 1 Mojolicious | 2025-10-20 | 8.1 High |
| Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. | ||||