CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (354)

page 12 of 18

CVE	Sev	Risk	CVSS	Published	Description
CVE-2026-33893	Hig	0.49	7.5	May 12, 2026	A vulnerability has been identified in Teamcenter V2312 (All versions < V2312.0014), Teamcenter V2406 (All versions < V2406.0012), Teamcenter V2412 (All versions < V2412.0009), Teamcenter V2506 (All versions < V2506.0005), Teamcenter V2512 (All versions). The affected application contains hardcoded key which is used for obfuscation stored directly into the application. This could allow an attacker to obtain these keys and misuse them to gain unauthorized access.
CVE-2024-46508	Hig	0.49	7.5	May 8, 2026	yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).
CVE-2026-32834	Hig	0.49	7.5	May 4, 2026	Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.
CVE-2026-1233	Hig	0.49	7.5	Apr 4, 2026	The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.9.8. This is due to the plugin containing hardcoded MySQL database credentials for the vendor's external telemetry server in the `Mementor_TTS_Remote_Telemetry` class. This makes it possible for unauthenticated attackers to extract and decode these credentials, gaining unauthorized write access to the vendor's telemetry database.
CVE-2026-27073	Hig	0.49	7.5	Mar 25, 2026	Use of Hard-coded Credentials vulnerability in Addi Addi – Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi – Cuotas que se adaptan a ti: from n/a through <= 2.0.4.
CVE-2019-25470	Hig	0.49	7.5	Mar 11, 2026	eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded partial credentials and a crafted wsdList parameter to extract encrypted passwords for all users, which can be decrypted using a hardcoded XOR key.
CVE-2019-25322	Hig	0.49	7.5	Feb 12, 2026	Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields.
CVE-2020-37135	Hig	0.49	7.5	Feb 7, 2026	AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system.
CVE-2020-37092	Hig	0.49	7.5	Feb 3, 2026	Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device.
CVE-2019-25291	Hig	0.49	7.5	Jan 8, 2026	INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models.
CVE-2017-20214	Hig	0.49	7.5	Jan 8, 2026	FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system.
CVE-2020-36915	Hig	0.49	7.5	Jan 6, 2026	Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions.
CVE-2021-47744	Hig	0.49	7.5	Dec 31, 2025	Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices.
CVE-2025-41722	Hig	0.49	7.5	Oct 22, 2025	The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.
CVE-2025-7342	Hig	0.49	7.5	Aug 17, 2025	A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and the vulnerability was exploited during the build process, which requires an attacker to access the build VM and modify the image while the build is in progress.
CVE-2025-4130	Hig	0.49	7.5	Jul 21, 2025	Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable.This issue affects PAVO Pay: before 13.05.2025.
CVE-2025-52492	Hig	0.49	7.5	Jul 7, 2025	A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services.
CVE-2025-30118	Hig	0.49	7.5	Mar 25, 2025	An issue was discovered on the Audi Universal Traffic Recorder 2.88. It has Susceptibility to denial of service. It uses the same default credentials for all devices and does not implement proper multi-device authentication, allowing attackers to deny the owner access by occupying the only available connection. The SSID remains broadcast at all times, increasing exposure to potential attacks.
CVE-2025-2343	Hig	0.49	7.5	Mar 16, 2025	A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-54749	Hig	0.49	7.5	Dec 6, 2024	Ubiquiti U7-Pro 7.0.35 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: this is disputed by the Supplier because the observation only established that a password is present in a firmware image; however, the device cannot be deployed without setting a new password during installation.