This could be related to any cipher, but this is specific so some AES hardware. In this hardware, a 128-bit random number is exchanged, as one does, between hosts. Due to a hardware quirk, the last 32-bit chunk of the random number I can extract. This gives me 96-bits "unknown random" and 32-bits of "known random".
The 96-bit search space is still huge, but I'm trying to get a feel for how compromised this implementation could be.
Attackwise, there's no serious approach that is significantly better than brute force (if there were, we could wrap it in a 32-bit outer exhaustive search and have a significant improvement over exhaustive attack on 128-bit AES).
In terms of the practical security against the brute force work, we note that the Bitcoin network represents a significant chunk of the worlds energy output and computation. It's currently running in the 1.1-1.2 Zeta-hashes per second rate, if we assume we have single matched plain and cipher and that the computation of the encryption is roughly commensurable to a SHA-256 Bitcoin block computation, then if we persuade everyone to collaborate on breaking your instance rather than mining Bitcoin, the log-seconds would be roughly $96-21\times (\log{10})/(\log 2)\approx 26.23$. This corresponds to 2-3 years. If the (lifetime-)value of your data is comparable to 2-3 years of mining every Bitcoin block, then it's not looking good.
For short-lived, low-value data, it might be worth the risk, but on the whole I'd prefer it to be fixed.
