The product uses a hard-coded, unchangeable cryptographic key.
View on MITREIf hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Prevention schemes mirror that of hard-coded password storage.
No detection method information available for this CWE.
The following code examples attempt to verify a password using a hard-coded cryptographic key.
The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.
The following code examples attempt to verify a password using a hard-coded cryptographic key.
The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.
The following code examples attempt to verify a password using a hard-coded cryptographic key.
The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.
Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation
View DetailsRemote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used by default.
View DetailsCommunications / collaboration product has a hardcoded SSH private key, allowing access to root account
View DetailsNo relationship information available for this CWE.
CWE-321: Use of Hard-coded Cryptographic Key is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses a hard-coded, unchangeable cryptographic key.
If exploited, CWE-321 (Use of Hard-coded Cryptographic Key) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism, Gain Privileges or Assume Identity and Read Application Data.
Recommended mitigations for CWE-321 include: Prevention schemes mirror that of hard-coded password storage.
CWE-321 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-321, including CVE-2022-29960, CVE-2022-30271, CVE-2020-10884 and CVE-2014-2198. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-321 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.