Cyber Resilience

CVE-2026-33362

High

Published: 11 May 2026

Published
11 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0024 15.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33362 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Runzero (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Hardcoded API/service keys directly constitute unsecured credentials that can be trivially extracted and abused for unauthorized access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31986Shared CWE-321
CVE-2024-54027Shared CWE-321
CVE-2026-2103Shared CWE-321
CVE-2026-33266Shared CWE-321
CVE-2024-33504Shared CWE-321
CVE-2026-22586Shared CWE-321
CVE-2025-34217Shared CWE-321
CVE-2025-67305Shared CWE-321
CVE-2025-27674Shared CWE-321
CVE-2025-55619Shared CWE-321

Affected Assets

Runzero
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-321

Supply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors.

addresses: CWE-321

Functional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products.

addresses: CWE-321

Proper key establishment and management processes directly preclude embedding static cryptographic keys in source code or binaries.

addresses: CWE-321

Approved PKI issuance and trust stores replace ad-hoc or hard-coded keys with properly managed, signed certificates.

addresses: CWE-321

Assessments can uncover and prevent suppliers from shipping components that contain hard-coded cryptographic keys.

References