CVE-2021-32520
Published: 07 July 2021
Summary
CVE-2021-32520 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Qsan Storage Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-19366
Vulnerability details
Use of hard-coded cryptographic key vulnerability in QSAN Storage Manager allows attackers to obtain users’ credentials and related permissions. Suggest contacting with QSAN and refer to recommendations in QSAN Document.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Supplier evaluation and secure acquisition practices make it harder for hard-coded credentials to be introduced via procured products.
Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.
Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.