The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

What CVEs are caused by CWE-325?

44 recorded CVEs are attributed to CWE-325, including CVE-2022-24116, CVE-2020-15086, CVE-2026-22863.

Is CWE-325 part of the OWASP Top 10?

CWE-325 maps to OWASP Top Ten 2007: Insecure Cryptographic Storage (A8) in the OWASP security taxonomy.

How is CWE-325 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-325?

Exploiting CWE-325 can lead to: Bypass Protection Mechanism, Read Application Data, Modify Application Data, Hide Activities.

Is CWE-325 actively exploited?

44 recorded CVEs are caused by CWE-325; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-325: Missing Cryptographic Step

44 recorded CVEs are caused by CWE-325 (Missing Cryptographic Step). The highest-severity and most recent are shown first. 12 new CWE-325 CVEs have been recorded so far in 2026 (7 in 2025).

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The example code is taken from the HMAC engine inside the buggy OpenPiton SoC of HACK@DAC'21 [REF-1358]. HAMC is a message authentication code (MAC) that uses both a hash and a secret crypto key. The HMAC engine in HACK@DAC SoC uses the SHA-256 module for the calculation of the HMAC for 512 bits messages.

Vulnerable example

verilog

.clk_i(clk_i),

CWE-325: Missing Cryptographic Step

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-325?

What CVEs are caused by CWE-325?

Is CWE-325 part of the OWASP Top 10?

How is CWE-325 detected?

What are the consequences of CWE-325?

Is CWE-325 actively exploited?

References

Stay ahead of CWE-325

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-325?

What CVEs are caused by CWE-325?

Is CWE-325 part of the OWASP Top 10?

How is CWE-325 detected?

What are the consequences of CWE-325?

Is CWE-325 actively exploited?

References

Stay ahead of CWE-325