Skip to main content

CWE-1240

Use of a Cryptographic Primitive with a Risky Implementation

13 CVEs Avg CVSS 6.0 MITRE
1
CRITICAL
1
HIGH
9
MEDIUM
2
LOW
0
POC
0
KEV

Monthly

CVE-2026-50303 MEDIUM PATCH Exploit Unlikely This Month

Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-44410 LOW Monitor

Business logic abuse in ZTE ZXUniPOS NDS-LTE (versions V24.40.40 and V24.30.40CP02) allows a highly privileged authenticated network attacker to manipulate legitimate application functions in ways unintended by the designer, yielding limited integrity and availability degradation. The CVSS score of 3.8 (Low) combined with an EPSS exploitation probability of 0.03% (7th percentile) and SSVC exploitation status of 'none' collectively indicate minimal immediate real-world threat. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Zxunipos Nds Lte
NVD VulDB
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-64647 MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.

IBM Information Disclosure
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-27017 Go MEDIUM PATCH This Month

uTLS versions 1.6.0 through 1.8.0 fail to properly mimic Chrome's cipher suite selection behavior when using GREASE ECH, randomly choosing ChaCha20 for encrypted client hello while consistently using AES for the outer handshake—a mismatch that does not occur in actual Chrome and creates detectable fingerprints. This inconsistency affects users relying on uTLS for fingerprinting resistance and could enable network observers to distinguish uTLS traffic from legitimate Chrome connections. A patch is available to correct the cipher suite selection logic.

Information Disclosure Utls Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22705 Cargo MEDIUM PATCH This Month

which provide authentication of data using public-key cryptography. versions up to 0.1.0 contains a security vulnerability (CVSS 6.4).

Information Disclosure
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14505 npm MEDIUM This Month

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. [CVSS 5.6 MEDIUM]

Information Disclosure Red Hat
NVD GitHub HeroDevs
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-46424 MEDIUM This Month

Dell CloudLink, versions prior to 8.2, contain use of a Cryptographic Primitive with a Risky Implementation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Dell Denial Of Service Cloudlink D-Link
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-29808 MEDIUM This Month

Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Windows Server 2022 Windows
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2025-29779 PyPI MEDIUM This Month

Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 4.0
5.4
EPSS
0.0%
CVE-2025-22475 LOW Monitor

Dell PowerProtect DD, versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10 contains a use of a Cryptographic Primitive with a Risky Implementation vulnerability. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Dell Information Disclosure Data Domain Operating System
NVD
CVSS 3.1
3.7
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM PATCH Exploit Unlikely This Month

Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft Windows 10 Version 1809 +10
NVD
EPSS 0% CVSS 3.8
LOW Monitor

Business logic abuse in ZTE ZXUniPOS NDS-LTE (versions V24.40.40 and V24.30.40CP02) allows a highly privileged authenticated network attacker to manipulate legitimate application functions in ways unintended by the designer, yielding limited integrity and availability degradation. The CVSS score of 3.8 (Low) combined with an EPSS exploitation probability of 0.03% (7th percentile) and SSVC exploitation status of 'none' collectively indicate minimal immediate real-world threat. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Zxunipos Nds Lte
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.

IBM Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

uTLS versions 1.6.0 through 1.8.0 fail to properly mimic Chrome's cipher suite selection behavior when using GREASE ECH, randomly choosing ChaCha20 for encrypted client hello while consistently using AES for the outer handshake—a mismatch that does not occur in actual Chrome and creates detectable fingerprints. This inconsistency affects users relying on uTLS for fingerprinting resistance and could enable network observers to distinguish uTLS traffic from legitimate Chrome connections. A patch is available to correct the cipher suite selection logic.

Information Disclosure Utls Suse
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

which provide authentication of data using public-key cryptography. versions up to 0.1.0 contains a security vulnerability (CVSS 6.4).

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM This Month

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. [CVSS 5.6 MEDIUM]

Information Disclosure Red Hat
NVD GitHub HeroDevs
EPSS 0% CVSS 6.7
MEDIUM This Month

Dell CloudLink, versions prior to 8.2, contain use of a Cryptographic Primitive with a Risky Implementation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Dell Denial Of Service Cloudlink +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Windows Server 2022 +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 3.7
LOW Monitor

Dell PowerProtect DD, versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.10 contains a use of a Cryptographic Primitive with a Risky Implementation vulnerability. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Dell Information Disclosure Data Domain Operating System
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy