VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 1 of 28
  • CVE-2014-125115CriJul 25, 2025
    risk 0.74cvss epss 0.02

    An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens…

  • CVE-2014-125121CriJul 31, 2025
    risk 0.73cvss epss 0.01

    Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a…

  • CVE-2017-14143CriSep 19, 2017
    risk 0.73cvss 9.8epss 0.76

    The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via…

  • CVE-2016-1560CriApr 21, 2017
    risk 0.72cvss 9.8epss 0.72

    ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote attackers to obtain administrative access via an SSH or HTTP session.

  • CVE-2025-8730CriAug 8, 2025
    risk 0.70cvss 9.8epss 0.03

    A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The…

  • CVE-2018-11094CriMay 15, 2018
    risk 0.70cvss 9.8epss 0.36

    An issue was discovered on Intelbras NCLOUD 300 1.0 devices. /cgi-bin/ExportSettings.sh, /goform/updateWPS, /goform/RebootSystem, and /goform/vpnBasicSettings do not require authentication. For example, when an HTTP POST request is made to /cgi-bin/ExportSettings.sh, the…

  • CVE-2018-16158CriAug 30, 2018
    risk 0.69cvss 9.8epss 0.35

    Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins (to uid 0) via the…

  • CVE-2018-11509CriAug 16, 2018
    risk 0.68cvss 9.8epss 0.13

    ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.

  • CVE-2018-9161CriMar 31, 2018
    risk 0.68cvss 9.8epss 0.59

    Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers to discover the hardcoded prisma password for the prismaweb account by reading user/scripts/login_par.js.

  • CVE-2015-4667CriSep 25, 2017
    risk 0.68cvss 9.8epss 0.11

    Multiple hardcoded credentials in Xsuite 2.x.

  • CVE-2015-7246CriApr 24, 2017
    risk 0.68cvss 9.8epss 0.14

    D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 has a default password of root for the root account and tw for the tw account, which makes it easier for remote attackers to obtain administrative access.

  • CVE-2017-7462CriApr 11, 2017
    risk 0.68cvss 9.8epss 0.13

    Intellinet NFC-30ir IP Camera has a vendor backdoor that can allow a remote attacker access to a vendor-supplied CGI script in the web directory.

  • CVE-2017-6558CriMar 9, 2017
    risk 0.68cvss 9.8epss 0.15

    iball Baton 150M iB-WRA150N v1 00000001 1.2.6 build 110401 Rel.47776n devices are prone to an authentication bypass vulnerability that allows remote attackers to view and modify administrative router settings by reading the HTML source code of the password.cgi file.

  • CVE-2008-1160CriMar 25, 2008
    risk 0.68cvss 9.8epss 0.15

    ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges.

  • CVE-2018-10575CriApr 30, 2018
    risk 0.67cvss 9.8epss 0.09

    An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.

  • CVE-2018-5723CriJan 16, 2018
    risk 0.67cvss 9.8epss 0.10

    MASTER IPCAMERA01 3.3.4.2103 devices have a hardcoded password of cat1029 for the root account.

  • CVE-2017-8224CriApr 25, 2017
    risk 0.67cvss 9.8epss 0.09

    Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.

  • CVE-2016-5678CriAug 31, 2016
    risk 0.67cvss 9.8epss 0.09

    NUUO NVRmini 2 1.0.0 through 3.0.0 and NUUO NVRsolo 1.0.0 through 3.0.0 have hardcoded root credentials, which allows remote attackers to obtain administrative access via unspecified vectors.

  • CVE-2017-6403CriMar 2, 2017
    risk 0.66cvss 9.8epss 0.27

    An issue was discovered in Veritas NetBackup Before 8.0 and NetBackup Appliance Before 3.0. NetBackup Cloud Storage Service uses a hardcoded username and password.

  • CVE-2025-69426CriJan 9, 2026
    risk 0.65cvss epss 0.00

    The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables…