CWE · MITRE source
CWE-321Use of Hard-coded Cryptographic Key
The product uses a hard-coded, unchangeable cryptographic key.
Last updated: 04 July 2026 14:16 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 4 mapping(s) from 2 framework(s): ATT&CK 3 (mostly) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A04:2025 Cryptographic Failures.
NIST 800-53 r5 controls that address this weakness (5)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-12 | Supply Chain Protection | SA | Supply chain protection includes scrutiny of cryptographic implementations, reducing hard-coded keys planted by untrusted vendors. |
SA-4 | Acquisition Process | SA | Functional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products. |
SC-12 | Cryptographic Key Establishment and Management | SC | Proper key establishment and management processes directly preclude embedding static cryptographic keys in source code or binaries. |
SC-17 | Public Key Infrastructure Certificates | SC | Approved PKI issuance and trust stores replace ad-hoc or hard-coded keys with properly managed, signed certificates. |
SR-6 | Supplier Assessments and Reviews | SR | Assessments can uncover and prevent suppliers from shipping components that contain hard-coded cryptographic keys. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2016-4437 KEV | 10.0 | 9.8 | 0.9314 | 2016-06-07 |
CVE-2025-30406 KEV | 10.0 | 9.0 | 0.9273 | 2025-04-03 |
CVE-2023-32169 | 8.0 | 9.8 | 0.5606 | 2024-05-03 |
CVE-2017-7574 | 7.0 | 9.8 | 0.0124 | 2017-04-06 |
CVE-2017-14021 | 7.0 | 9.8 | 0.0192 | 2017-11-01 |
CVE-2016-9335 | 7.0 | 10.0 | 0.0156 | 2018-05-09 |
CVE-2018-0040 | 7.0 | 9.8 | 0.0143 | 2018-07-11 |
CVE-2019-19750 | 7.0 | 9.8 | 0.0113 | 2019-12-12 |
CVE-2020-6990 | 7.0 | 9.8 | 0.0423 | 2020-03-16 |
CVE-2020-2500 | 7.0 | 9.8 | 0.0075 | 2020-07-01 |
CVE-2021-27389 | 7.0 | 9.8 | 0.0103 | 2021-04-22 |
CVE-2021-32520 | 7.0 | 9.8 | 0.0103 | 2021-07-07 |
CVE-2021-40119 | 7.0 | 9.8 | 0.0242 | 2021-11-04 |
CVE-2022-22987 | 7.0 | 9.8 | 0.0121 | 2022-02-04 |
CVE-2022-0664 | 7.0 | 9.8 | 0.0167 | 2022-02-18 |
CVE-2022-29186 | 7.0 | 9.1 | 0.0110 | 2022-05-20 |
CVE-2022-29830 | 7.0 | 9.1 | 0.0121 | 2022-11-25 |
CVE-2022-2641 | 7.0 | 9.8 | 0.0054 | 2022-12-02 |
CVE-2022-2660 | 7.0 | 9.8 | 0.0062 | 2022-12-13 |
CVE-2023-27583 | 7.0 | 9.8 | 0.0088 | 2023-03-13 |
CVE-2023-2158 | 7.0 | 9.8 | 0.0062 | 2023-04-27 |
CVE-2023-3632 | 7.0 | 9.8 | 0.0064 | 2023-08-09 |
CVE-2023-48392 | 7.0 | 9.8 | 0.0057 | 2023-12-15 |
CVE-2024-1631 UPD | 7.0 | 9.1 | 0.0088 | 2024-02-21 |
CVE-2024-2413 UPD | 7.0 | 9.8 | 0.0057 | 2024-03-13 |