Monthly
Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.
Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.
Authentication bypass in DataEase before 2.10.24 lets remote attackers forge valid share-link JWTs because ShareSecretManage ships with a hardcoded signature key (link-pwd-fit2cloud). An attacker who has obtained any passwordless share can mint linkToken JWTs that pass TokenFilter verification and access backend resources as the original share creator, even after that share has been revoked. There is no public exploit identified at time of analysis, but the hardcoded key is disclosed in the advisory, making forgery trivial once the signing algorithm is known.
Unauthenticated backdoor in the WordPress "Enable CORS" plugin (versions <= 2.0.3) lets remote attackers leverage a hard-coded cryptographic key (CWE-321) to bypass access controls and read or alter protected data without any credentials. Reported by Patchstack and tagged as Information Disclosure, the issue carries a CVSS 7.4; no public exploit and no CISA KEV listing exist at the time of analysis, and despite the network attack vector the CVSS marks high attack complexity, indicating exploitation is non-trivial.
Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.
Authentication bypass in NetComm NF20MESH routers (firmware R6B031 and earlier) allows unauthenticated remote attackers to forge valid encrypted session cookies using a hardcoded AES-256 key embedded in the firmware, granting full administrative control of the web management interface. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): because the same static AES-256 key is shared across all devices, any attacker who extracts it from firmware can impersonate any session. Exploitation requires an active administrator session and network reachability to the management interface; no KEV listing or confirmed public exploit exists at time of analysis, though the hardcoded-key nature makes the attack highly automatable once the key is disclosed.
Hard-coded cryptographic keys embedded in Canon EOS Network Setting Tool version 1.5.0 and earlier expose static decryption material to any local system user, enabling unauthorized decryption of protected network traffic or configuration data exchanged between the tool and Canon EOS cameras. The flaw is CWE-321 (Use of Hard-coded Cryptographic Key) and is classified as an information disclosure vulnerability with high confidentiality impact, bounded by the requirement for local system access. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables local attackers to decrypt sensitive licensing and configuration data for vault room and safe deposit locker systems. The static key, embedded in SafeSystem.Infrastructure.Security.dll, can be recovered through standard reverse engineering, then used to decrypt the licence.whs file - which itself contains a second key granting access to additional configuration files. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is known at time of analysis; however, the attack requires only low-privilege local file access and straightforward tooling, making it realistic for any insider or attacker who achieves filesystem access.
Cryptographic key disclosure in Wertheim SafeController Family 65000 (AssemblyVersion 6.11.8130.22319), a microcontroller-based safe deposit locker system, allows adjacent attackers to decrypt protected communications. The device uses a weak custom (proprietary) cryptographic algorithm with hard-coded keys, and researchers at SEC-VLab demonstrated both breaking the encryption routine and recovering the key by intercepting sufficient traffic. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.
Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.
Authentication bypass in DataEase before 2.10.24 lets remote attackers forge valid share-link JWTs because ShareSecretManage ships with a hardcoded signature key (link-pwd-fit2cloud). An attacker who has obtained any passwordless share can mint linkToken JWTs that pass TokenFilter verification and access backend resources as the original share creator, even after that share has been revoked. There is no public exploit identified at time of analysis, but the hardcoded key is disclosed in the advisory, making forgery trivial once the signing algorithm is known.
Unauthenticated backdoor in the WordPress "Enable CORS" plugin (versions <= 2.0.3) lets remote attackers leverage a hard-coded cryptographic key (CWE-321) to bypass access controls and read or alter protected data without any credentials. Reported by Patchstack and tagged as Information Disclosure, the issue carries a CVSS 7.4; no public exploit and no CISA KEV listing exist at the time of analysis, and despite the network attack vector the CVSS marks high attack complexity, indicating exploitation is non-trivial.
Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.
Authentication bypass in NetComm NF20MESH routers (firmware R6B031 and earlier) allows unauthenticated remote attackers to forge valid encrypted session cookies using a hardcoded AES-256 key embedded in the firmware, granting full administrative control of the web management interface. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): because the same static AES-256 key is shared across all devices, any attacker who extracts it from firmware can impersonate any session. Exploitation requires an active administrator session and network reachability to the management interface; no KEV listing or confirmed public exploit exists at time of analysis, though the hardcoded-key nature makes the attack highly automatable once the key is disclosed.
Hard-coded cryptographic keys embedded in Canon EOS Network Setting Tool version 1.5.0 and earlier expose static decryption material to any local system user, enabling unauthorized decryption of protected network traffic or configuration data exchanged between the tool and Canon EOS cameras. The flaw is CWE-321 (Use of Hard-coded Cryptographic Key) and is classified as an information disclosure vulnerability with high confidentiality impact, bounded by the requirement for local system access. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables local attackers to decrypt sensitive licensing and configuration data for vault room and safe deposit locker systems. The static key, embedded in SafeSystem.Infrastructure.Security.dll, can be recovered through standard reverse engineering, then used to decrypt the licence.whs file - which itself contains a second key granting access to additional configuration files. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is known at time of analysis; however, the attack requires only low-privilege local file access and straightforward tooling, making it realistic for any insider or attacker who achieves filesystem access.
Cryptographic key disclosure in Wertheim SafeController Family 65000 (AssemblyVersion 6.11.8130.22319), a microcontroller-based safe deposit locker system, allows adjacent attackers to decrypt protected communications. The device uses a weak custom (proprietary) cryptographic algorithm with hard-coded keys, and researchers at SEC-VLab demonstrated both breaking the encryption routine and recovering the key by intercepting sufficient traffic. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.