CWE-259
Use of Hard-coded Password
Description
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (77)
page 1 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-8730 | Cri | 0.70 | 9.8 | 0.03 | Aug 8, 2025 | A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The… | ||
| CVE-2026-35905 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account. | ||
| CVE-2026-7251 | Cri | 0.64 | 9.8 | 0.01 | May 26, 2026 | Eppendorf BioFlo 320 is vulnerable due to VNC server using a hard-coded password. If a remote attacker knows the network address of any BioFlo 320 model with remote access enabled, they can gain full control of the user interface by using this password. Once connected, the… | ||
| CVE-2025-70041 | Cri | 0.64 | 9.8 | 0.00 | Mar 11, 2026 | An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master. | ||
| CVE-2025-11126 | Cri | 0.64 | 9.8 | 0.01 | Sep 29, 2025 | A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The attack may be performed from remote. The exploit has been released to the public… | ||
| CVE-2024-4996 | Cri | 0.64 | 9.8 | 0.01 | Dec 18, 2024 | Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop… | ||
| CVE-2024-25825 | Cri | 0.64 | 9.8 | 0.01 | Oct 9, 2024 | FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password. | ||
| CVE-2024-27488 | Cri | 0.64 | 9.8 | 0.01 | Apr 8, 2024 | Incorrect Access Control vulnerability in ZLMediaKit versions 1.0 through 8.0, allows remote attackers to escalate privileges and obtain sensitive information. The application system enables the http API interface by default and uses the secret parameter method to authenticate… | ||
| CVE-2017-6022 | Cri | 0.64 | 9.8 | 0.02 | Jun 30, 2017 | A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged… | ||
| CVE-2016-9358 | Cri | 0.64 | 9.8 | 0.02 | Jun 30, 2017 | A Hard-Coded Passwords issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single… | ||
| CVE-2024-34539 | Cri | 0.61 | 9.4 | 0.01 | Jun 14, 2024 | Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions. | ||
| CVE-2026-4475 | Hig | 0.57 | 8.8 | 0.00 | Mar 20, 2026 | A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The… | ||
| CVE-2026-2616 | Hig | 0.57 | 8.8 | 0.01 | Feb 17, 2026 | A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has… | ||
| CVE-2025-14126 | Hig | 0.57 | 8.8 | 0.00 | Dec 6, 2025 | A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been… | ||
| CVE-2025-30106 | Hig | 0.57 | 8.8 | 0.00 | Mar 18, 2025 | On IROAD v9 devices, the dashcam has hardcoded default credentials ("qwertyuiop") that cannot be changed by the user. This allows an attacker within Wi-Fi range to connect to the device's network to perform sniffing. | ||
| CVE-2023-49963 | Hig | 0.57 | 8.8 | 0.00 | Apr 19, 2024 | DYMO LabelWriter Print Server through 2.366 contains a backdoor hard-coded password that could allow an attacker to take control. | ||
| CVE-2025-70802 | Hig | 0.55 | 8.4 | 0.00 | Mar 10, 2026 | Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. | ||
| CVE-2025-70798 | Hig | 0.55 | 8.4 | 0.00 | Mar 10, 2026 | Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. | ||
| CVE-2025-3920 | Hig | 0.55 | — | 0.00 | Jul 7, 2025 | A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application's installation… | ||
| CVE-2025-54754 | — | Hig | 0.52 | 8.0 | 0.00 | Sep 18, 2025 | An attacker with adjacent access, without authentication, can exploit this vulnerability to retrieve a hard-coded password embedded in publicly available software. This password can then be used to decrypt sensitive network traffic, affecting the Cognex device. |
- risk 0.70cvss 9.8epss 0.03
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The…
- risk 0.64cvss 9.8epss 0.00
T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account.
- risk 0.64cvss 9.8epss 0.01
Eppendorf BioFlo 320 is vulnerable due to VNC server using a hard-coded password. If a remote attacker knows the network address of any BioFlo 320 model with remote access enabled, they can gain full control of the user interface by using this password. Once connected, the…
- risk 0.64cvss 9.8epss 0.00
An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.
- risk 0.64cvss 9.8epss 0.01
A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The attack may be performed from remote. The exploit has been released to the public…
- risk 0.64cvss 9.8epss 0.01
Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop…
- risk 0.64cvss 9.8epss 0.01
FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password.
- risk 0.64cvss 9.8epss 0.01
Incorrect Access Control vulnerability in ZLMediaKit versions 1.0 through 8.0, allows remote attackers to escalate privileges and obtain sensitive information. The application system enables the http API interface by default and uses the secret parameter method to authenticate…
- risk 0.64cvss 9.8epss 0.02
A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged…
- risk 0.64cvss 9.8epss 0.02
A Hard-Coded Passwords issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single…
- risk 0.61cvss 9.4epss 0.01
Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions.
- risk 0.57cvss 8.8epss 0.00
A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The…
- risk 0.57cvss 8.8epss 0.01
A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management Interface. The manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has…
- risk 0.57cvss 8.8epss 0.00
A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been…
- risk 0.57cvss 8.8epss 0.00
On IROAD v9 devices, the dashcam has hardcoded default credentials ("qwertyuiop") that cannot be changed by the user. This allows an attacker within Wi-Fi range to connect to the device's network to perform sniffing.
- risk 0.57cvss 8.8epss 0.00
DYMO LabelWriter Print Server through 2.366 contains a backdoor hard-coded password that could allow an attacker to take control.
- risk 0.55cvss 8.4epss 0.00
Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.
- risk 0.55cvss 8.4epss 0.00
Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.
- risk 0.55cvss —epss 0.00
A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application's installation…
- risk 0.52cvss 8.0epss 0.00
An attacker with adjacent access, without authentication, can exploit this vulnerability to retrieve a hard-coded password embedded in publicly available software. This password can then be used to decrypt sensitive network traffic, affecting the Cognex device.