Monthly
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. No public exploit identified at time of analysis, though the key material is trivially recoverable from the open-source code.
Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.
Host impersonation and machine-in-the-middle attacks against NVIDIA DGX OS systems are possible because the factory provisioning process clones a base image that ships identical SSH host keys onto every similarly provisioned system, primarily affecting DGX Spark deployments. With a CVSS of 8.1 and a CWE-321 (Use of Hard-Coded Cryptographic Key) root cause, an unauthenticated network attacker who possesses the shared key material from any one device can impersonate peers, potentially leading to code execution, data tampering, privilege escalation, information disclosure, or denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Hard-coded cryptographic key in Sanluan PublicCMS 5.202506.d allows remote attackers to compromise data integrity through the SafeConfigComponent's getSignKey function. The vulnerability (CWE-321) enables manipulation of the privatefile_key argument, permitting unauthenticated network-based attacks with low complexity. Public exploit code is available per VulDB submission 809917, significantly lowering the skill barrier for exploitation despite the medium CVSS 5.5 score. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation at time of analysis.
ELECOM wireless LAN access point devices WRC-X1800GS-B, WRC-X3000GS2 series, WRC-X6000QS series, and related models use a hard-coded cryptographic key to encrypt configuration file backups. An attacker who obtains a backup file can decrypt and modify the configuration using the publicly known key, then trick a network administrator into restoring the malicious configuration, enabling complete compromise of network settings. This requires user interaction (administrator deploying a crafted backup) but no authentication, making it a practical attack vector for supply-chain compromise or insider threats. CVSS 6.5 (Medium) reflects the high integrity impact balanced against the requirement for administrator interaction.
Fortinet FortiClient Windows versions 7.2 (all) and 7.4.0 through 7.4.2 contain a hard-coded cryptographic key vulnerability that allows high-privileged local attackers to disclose sensitive information. The vulnerability requires local access and administrator-level privileges, limiting its real-world exploitation scope to threats already present on compromised systems or malicious insiders. No public exploit code or active exploitation has been confirmed at the time of analysis.
Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.
Remote unauthenticated attackers can decrypt user credentials and hijack IoT device sessions in Meari SDK-based mobile applications (CloudEdge, Arenti, white-label apps) by exploiting hardcoded cryptographic keys shared across all installations. The SDK embeds API signing secrets, password-transport encryption keys, and service access tokens in application binaries, enabling adversaries to intercept and decrypt account credentials in transit, forge authenticated API requests, and potentially access cloud services without user authentication. No public exploit code identified at time of analysis, but EPSS scoring and exploitation complexity are low given the static nature of hardcoded secrets.
Remote unauthenticated attackers can forge JWT authentication tokens in AstrBot 3.5.15 by exploiting a hardcoded private key ('Advanced_System_for_Text_Response_and_Bot_Operations_Tool'), enabling full authentication bypass with subsequent remote code execution capabilities. Public exploit code exists on GitHub (Marven11/CVE-2025-55449-AstrBot-RCE) demonstrating weaponization of this cryptographic flaw. EPSS score of 0.00% suggests limited automated scanning activity, but the availability of working RCE exploit code significantly elevates practical risk for exposed instances.
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. No public exploit identified at time of analysis, though the key material is trivially recoverable from the open-source code.
Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.
Host impersonation and machine-in-the-middle attacks against NVIDIA DGX OS systems are possible because the factory provisioning process clones a base image that ships identical SSH host keys onto every similarly provisioned system, primarily affecting DGX Spark deployments. With a CVSS of 8.1 and a CWE-321 (Use of Hard-Coded Cryptographic Key) root cause, an unauthenticated network attacker who possesses the shared key material from any one device can impersonate peers, potentially leading to code execution, data tampering, privilege escalation, information disclosure, or denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Hard-coded cryptographic key in Sanluan PublicCMS 5.202506.d allows remote attackers to compromise data integrity through the SafeConfigComponent's getSignKey function. The vulnerability (CWE-321) enables manipulation of the privatefile_key argument, permitting unauthenticated network-based attacks with low complexity. Public exploit code is available per VulDB submission 809917, significantly lowering the skill barrier for exploitation despite the medium CVSS 5.5 score. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation at time of analysis.
ELECOM wireless LAN access point devices WRC-X1800GS-B, WRC-X3000GS2 series, WRC-X6000QS series, and related models use a hard-coded cryptographic key to encrypt configuration file backups. An attacker who obtains a backup file can decrypt and modify the configuration using the publicly known key, then trick a network administrator into restoring the malicious configuration, enabling complete compromise of network settings. This requires user interaction (administrator deploying a crafted backup) but no authentication, making it a practical attack vector for supply-chain compromise or insider threats. CVSS 6.5 (Medium) reflects the high integrity impact balanced against the requirement for administrator interaction.
Fortinet FortiClient Windows versions 7.2 (all) and 7.4.0 through 7.4.2 contain a hard-coded cryptographic key vulnerability that allows high-privileged local attackers to disclose sensitive information. The vulnerability requires local access and administrator-level privileges, limiting its real-world exploitation scope to threats already present on compromised systems or malicious insiders. No public exploit code or active exploitation has been confirmed at the time of analysis.
Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.
Remote unauthenticated attackers can decrypt user credentials and hijack IoT device sessions in Meari SDK-based mobile applications (CloudEdge, Arenti, white-label apps) by exploiting hardcoded cryptographic keys shared across all installations. The SDK embeds API signing secrets, password-transport encryption keys, and service access tokens in application binaries, enabling adversaries to intercept and decrypt account credentials in transit, forge authenticated API requests, and potentially access cloud services without user authentication. No public exploit code identified at time of analysis, but EPSS scoring and exploitation complexity are low given the static nature of hardcoded secrets.
Remote unauthenticated attackers can forge JWT authentication tokens in AstrBot 3.5.15 by exploiting a hardcoded private key ('Advanced_System_for_Text_Response_and_Bot_Operations_Tool'), enabling full authentication bypass with subsequent remote code execution capabilities. Public exploit code exists on GitHub (Marven11/CVE-2025-55449-AstrBot-RCE) demonstrating weaponization of this cryptographic flaw. EPSS score of 0.00% suggests limited automated scanning activity, but the availability of working RCE exploit code significantly elevates practical risk for exposed instances.