CWE-522
Insufficiently Protected Credentials
ClassIncomplete
Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (204)
page 6 of 11| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-8296 | Hig | 0.49 | 7.5 | 0.00 | Apr 27, 2017 | kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of the master password if the "password" command is used with an argument. The names of the password entries created and consulted are also accessible in cleartext. | |
| CVE-2025-64998 | Hig | 0.47 | 7.2 | 0.00 | Mar 24, 2026 | Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies. | |
| CVE-2025-61482 | Hig | 0.47 | 7.2 | 0.00 | Oct 27, 2025 | Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts. | |
| CVE-2017-14111 | Hig | 0.47 | 7.2 | 0.01 | Nov 17, 2017 | The workstation logging function in Philips IntelliSpace Cardiovascular (ISCV) 2.3.0 and earlier and Xcelera R4.1L1 and earlier records domain authentication credentials, which if accessed allows an attacker to use credentials to access the application, or other user entitlements. | |
| CVE-2026-35155 | Hig | 0.46 | 7.1 | 0.00 | Apr 29, 2026 | Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access. | |
| CVE-2024-49364 | Hig | 0.46 | — | 0.00 | Jul 1, 2025 | tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7. | |
| CVE-2025-1886 | Hig | 0.46 | — | 0.00 | Mar 7, 2025 | Pass-Back vulnerability in versions prior to 2025.35.000 of Sage 200 Spain. This vulnerability allows an authenticated attacker with administrator privileges to discover stored SMTP credentials. | |
| CVE-2024-38285 | Hig | 0.46 | — | 0.00 | Jun 13, 2024 | Logs storing credentials are insufficiently protected and can be decoded through the use of open source tools. | |
| CVE-2025-12461 | Med | 0.45 | — | 0.00 | Oct 29, 2025 | This vulnerability allows an attacker to access parts of the application that are not protected by any type of access control. The attacker could access this path ‘…/epsilonnet/License/About.aspx’ and obtain information on both the licence and the configuration of the product by knowing which modules are installed. | |
| CVE-2025-10360 | Med | 0.45 | — | 0.00 | Sep 24, 2025 | In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version. | |
| CVE-2025-6081 | Med | 0.44 | 6.8 | 0.00 | Jul 1, 2025 | Insufficiently Protected Credentials in LDAP in Konica Minolta bizhub 227 Multifunction printers version GCQ-Y3 or earlier allows an attacker can reconfigure the target device to use an external LDAP service controlled by the attacker. If an LDAP password is set on the target device, the attacker can force the target device to authenticate to the attacker controlled LDAP service. This will allow the attacker to capture the plaintext password of the configured LDAP service. | |
| CVE-2024-51984 | Med | 0.44 | 6.8 | 0.00 | Jun 25, 2025 | An authenticated attacker can reconfigure the target device to use an external service (such as LDAP or FTP) controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled device using the existing credentials for that external service. In the case of an external LDAP or FTP service, this will disclose the plaintext password for that external service to the attacker. | |
| CVE-2024-44754 | Med | 0.44 | 6.8 | 0.00 | Feb 28, 2025 | Cryptographic key extraction from internal flash in Minut M2 with firmware version #15142 allows physically proximate attackers to inject modified firmware into any other Minut M2 product via USB. | |
| CVE-2017-8371 | Med | 0.44 | 6.8 | 0.00 | Apr 30, 2017 | Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors. | |
| CVE-2016-9360 | Med | 0.44 | 6.7 | 0.00 | Feb 13, 2017 | An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if he or she has access to an authenticated session. | |
| CVE-2026-42367 | Med | 0.42 | 6.5 | 0.00 | May 4, 2026 | A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability. | |
| CVE-2026-28909 | Med | 0.42 | 6.5 | 0.00 | Apr 30, 2026 | Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3. | |
| CVE-2025-15617 | Med | 0.42 | 6.5 | 0.00 | Mar 27, 2026 | Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits or altering release tags. | |
| CVE-2026-32606 | Hig | 0.42 | 7.6 | 0.00 | Mar 18, 2026 | IncusOS is an immutable OS image dedicated to running Incus. Prior to 202603142010, the default configuration of systemd-cryptenroll as used by IncusOS through mkosi allows for an attacker with physical access to the machine to access the encrypted data without requiring any interaction by the system's owner or any tampering of Secure Boot state or kernel (UKI) boot image. That's because in this configuration, the LUKS key is made available by the TPM so long as the system has the expected PCR7 value and the PCR11 policy matches. That default PCR11 policy importantly allows for the TPM to release the key to the booted system rather than just from the initrd part of the signed kernel image (UKI). The attack relies on the attacker being able to substitute the original encrypted root partition for one that they control. By doing so, the system will prompt for a recovery key on boot, which the attacker has defined and can provide, before booting the system using the attacker's root partition rather than the system's original one. The attacker only needs to put a systemd unit starting on system boot within their root partition to have the system run that logic on boot. That unit will then run in an environment where the TPM will allow for the retrieval of the encryption key of the real root disk, allowing the attacker to steal the LUKS volume key (immutable master key) and then use it against the real root disk, altering it or getting data out before putting the disk back the way it was and returning the system without a trace of this attack having happened. This is all possible because the system will have still booted with Secure Boot enabled, will have measured and ran the expected bootloader and kernel image (UKI). The initrd selects the root disk based on GPT partition identifiers making it possible to easily substitute the real root disk for an attacker controlled one. This doesn't lead to any change in the TPM state and therefore allows for retrieval of the LUKS key by the attacker through a boot time systemd unit on their alternative root partition. IncusOS version 202603142010 (2026/03/14 20:10 UTC) includes the new PCR15 logic and will automatically update the TPM policy on boot. Anyone suspecting that their system may have been physically accessed while shut down should perform a full system wipe and reinstallation as only that will rotate the LUKS volume key and prevent subsequent access to the encrypted data should the system have been previously compromised. There are no known workarounds other than updating to a version with corrected logic which will automatically rebind the LUKS keys to the new set of TPM registers and prevent this from being exploited. | |
| CVE-2025-12636 | Med | 0.42 | 6.5 | 0.00 | Nov 6, 2025 | The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds or modification of settings. |