Keyfactor
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Keyfactor product.
RSS Feeds for Keyfactor security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Keyfactor products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Keyfactor Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Keyfactor. Last year, in 2025 Keyfactor had 1 security vulnerability published. Right now, Keyfactor is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 4.70 |
| 2024 | 3 | 6.03 |
| 2023 | 1 | 8.20 |
| 2022 | 2 | 5.40 |
It may take a day or so for new Keyfactor vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Keyfactor Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-11073 | Sep 27, 2025 |
Command Injection in EW5100BE HTTP POST Handler (pre v3.0B11)A vulnerability was detected in Keyfactor RG-EW5100BE EW_3.0B11P280_EW5100BE-PRO_12183019. The affected element is an unknown function of the file /cgi-bin/luci/api/cmd of the component HTTP POST Request Handler. The manipulation of the argument url results in command injection. The attack can be launched remotely. The exploit is now public and may be used. |
|
| CVE-2024-36066 | Sep 12, 2024 |
KeyFactor EJBCA CMP CLI <8octet salt (v<8.3.1)The CMP CLI client in KeyFactor EJBCA before 8.3.1 has only 6 octets of salt, and is thus not compliant with the security requirements of RFC 4211, and might make man-in-the-middle attacks easier. CMP includes password-based MAC as one of the options for message integrity and authentication (the other option is certificate-based). RFC 4211 section 4.4 requires that password-based MAC parameters use a salt with a random value of at least 8 octets. This helps to inhibit dictionary attacks. Because the standalone CMP client originally was developed as test code, the salt was instead hardcoded and only 6 octets long. |
Ejbca
|
| CVE-2024-42006 | Aug 20, 2024 |
Keyfactor AWS Orchestrator <=2.0 Info DisclosureKeyfactor AWS Orchestrator through 2.0 allows Information Disclosure. |
Aws Orchestrator
|
| CVE-2024-34458 | Aug 20, 2024 |
Keyfactor Command SQL Injection before 10.5.1 / 11.5.1 Info DisclosureKeyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in information disclosure. |
Command
|
| CVE-2023-34196 | Aug 03, 2023 |
Keyfactor EJBCA <8.0.0 RA Servlet DoS & Unauthorized CA DisclosureIn the Keyfactor EJBCA before 8.0.0, the RA web certificate distribution servlet /ejbca/ra/cert allows partial denial of service due to an authentication issue. In configurations using OAuth, disclosure of CA certificates (attributes and public keys) to unauthenticated or less privileged users may occur. |
Ejbca
|
| CVE-2022-42954 | Nov 17, 2022 |
EJBCA XSS via uncontrolled input before 7.10.0Keyfactor EJBCA before 7.10.0 allows XSS. |
Kefactor Ejbca
|
| CVE-2022-39834 | Nov 17, 2022 |
EJBCA XSS via adminweb/ra/viewendentity.jsp through 7.9.0.2A stored XSS vulnerability was discovered in adminweb/ra/viewendentity.jsp in PrimeKey EJBCA through 7.9.0.2. A low-privilege user can store JavaScript in order to exploit a higher-privilege user. |
Primekey Ejbca
|