Total
13 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41742 | 1 Sprecher-automation | 6 Sprecon-e-c, Sprecon-e-c Firmware, Sprecon-e-p and 3 more | 2026-02-23 | N/A | 9.8 CRITICAL |
| Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote attacker via default cryptographic keys. The use of these keys allows the attacker to read, modify, and write projects and data, or to access any device via remote maintenance. | |||||
| CVE-2025-41744 | 1 Sprecher-automation | 6 Sprecon-e-c, Sprecon-e-c Firmware, Sprecon-e-p and 3 more | 2026-02-23 | N/A | 9.1 CRITICAL |
| Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity. | |||||
| CVE-2026-2215 | 2026-02-09 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue affects some unknown processing of the file core/auth.py of the component JWT Handler. Performing a manipulation of the argument SECRET_KEY results in use of default cryptographic key. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used. | |||||
| CVE-2026-25815 | 2026-02-06 | N/A | 3.2 LOW | ||
| Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option. | |||||
| CVE-2025-55049 | 2025-09-11 | N/A | 9.1 CRITICAL | ||
| Use of Default Cryptographic Key (CWE-1394) | |||||
| CVE-2025-1688 | 2025-09-09 | N/A | 5.5 MEDIUM | ||
| Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue. Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected. | |||||
| CVE-2024-11619 | 1 Macrozheng | 1 Mall | 2025-09-04 | 4.3 MEDIUM | 5.0 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in macrozheng mall up to 1.0.3. Affected by this issue is some unknown functionality of the component JWT Token Handler. The manipulation leads to use of default cryptographic key. The complexity of an attack is rather high. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. Instead the issue posted on GitHub got deleted without any explanation. | |||||
| CVE-2024-48956 | 2025-08-27 | N/A | 9.8 CRITICAL | ||
| Serviceware Processes 6.0 through 7.3 before 7.4 allows attackers without valid authentication to send a specially crafted HTTP request to a service endpoint resulting in remote code execution. | |||||
| CVE-2025-44954 | 1 Commscope | 30 Ruckus C110, Ruckus E510, Ruckus H320 and 27 more | 2025-08-07 | N/A | 9.0 CRITICAL |
| RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build has a hardcoded SSH private key for a root-equivalent user account. | |||||
| CVE-2025-26849 | 1 Docusnap | 1 Docusnap | 2025-07-07 | N/A | 4.3 MEDIUM |
| There is a Hard-coded Cryptographic Key in Docusnap 13.0.1440.24261, and earlier and later versions. This key can be used to decrypt inventory files that contain sensitive information such as firewall rules. | |||||
| CVE-2023-6451 | 1 Alayacare | 1 Procura | 2025-01-09 | N/A | 8.6 HIGH |
| Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms. | |||||
| CVE-2024-1275 | 2024-11-21 | N/A | N/A | ||
| Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52. | |||||
| CVE-2024-10748 | 1 Cosmote | 1 What\'s Up | 2024-11-06 | 1.0 LOW | 4.7 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in Cosmote Greece What's Up App 4.47.3 on Android. This issue affects some unknown processing of the file gr/desquared/kmmsharedmodule/db/RealmDB.java of the component Realm Database Handler. The manipulation of the argument defaultRealmKey leads to use of default cryptographic key. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||