Private Key File Detected

high Web App Scanning Plugin ID 115111

Synopsis

Private Key File Detected

Description

Private keys are cryptographic credentials used for secure communications in protocols like SSL/TLS, SSH, and JWT signing. If exposed, an attacker can impersonate the server, decrypt sensitive communications, or forge authentication tokens to gain unauthorized access to systems and data.

Solution

Immediately rotate and revoke the exposed private key. Remove the private key file from the publicly accessible location and store it in a secure vault or secrets management system (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). Restrict file system permissions to prevent unauthorized access. Audit logs to identify potential unauthorized use of the compromised key.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html

https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html

Plugin Details

Severity: High

ID: 115111

Type: remote

Family: Data Exposure

Published: 1/15/2026

Updated: 1/15/2026

Scan Template: api, basic, full, pci, scan

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 538

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1

WASC: Predictable Resource Location

CAPEC: 95

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

PCI-DSS: 3.2-2.2