Cyber Resilience

CWE · MITRE source

CWE-321Use of Hard-coded Cryptographic Key

Abstraction: Variant · CVEs in our corpus: 301

The product uses a hard-coded, unchangeable cryptographic key.

Last updated: 04 July 2026 14:16 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 4 mapping(s) from 2 framework(s): ATT&CK 3 (mostly) · OWASP-Web 1 (full)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A04:2025 Cryptographic Failures.

NIST 800-53 r5 controls that address this weakness (5)AI

Control Title Family Why it addresses this CWE
SA-12Supply Chain ProtectionSASupply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors.
SA-4Acquisition ProcessSAFunctional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products.
SC-12Cryptographic Key Establishment and ManagementSCProper key establishment and management processes directly preclude embedding static cryptographic keys in source code or binaries.
SC-17Public Key Infrastructure CertificatesSCApproved PKI issuance and trust stores replace ad-hoc or hard-coded keys with properly managed, signed certificates.
SR-6Supplier Assessments and ReviewsSRAssessments can uncover and prevent suppliers from shipping components that contain hard-coded cryptographic keys.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2016-4437 KEV10.09.80.93142016-06-07
CVE-2025-30406 KEV10.09.00.92732025-04-03
CVE-2023-321698.09.80.56062024-05-03
CVE-2017-75747.09.80.01242017-04-06
CVE-2017-140217.09.80.01922017-11-01
CVE-2016-93357.010.00.01562018-05-09
CVE-2018-00407.09.80.01432018-07-11
CVE-2019-197507.09.80.01132019-12-12
CVE-2020-69907.09.80.04232020-03-16
CVE-2020-25007.09.80.00752020-07-01
CVE-2021-273897.09.80.01032021-04-22
CVE-2021-325207.09.80.01032021-07-07
CVE-2021-401197.09.80.02422021-11-04
CVE-2022-229877.09.80.01212022-02-04
CVE-2022-06647.09.80.01672022-02-18
CVE-2022-291867.09.10.01102022-05-20
CVE-2022-298307.09.10.01212022-11-25
CVE-2022-26417.09.80.00542022-12-02
CVE-2022-26607.09.80.00622022-12-13
CVE-2023-275837.09.80.00882023-03-13
CVE-2023-21587.09.80.00622023-04-27
CVE-2023-36327.09.80.00642023-08-09
CVE-2023-483927.09.80.00572023-12-15
CVE-2024-1631 UPD7.09.10.00882024-02-21
CVE-2024-2413 UPD7.09.80.00572024-03-13