VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 14 of 28
  • CVE-2018-0663HigSep 7, 2018
    risk 0.57cvss 8.8epss 0.02

    Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands…

  • CVE-2018-10898HigJul 30, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability was found in openstack-tripleo-heat-templates before version 8.0.2-40. When deployed using Director using default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials.

  • CVE-2016-9495HigJul 13, 2018
    risk 0.57cvss 8.8epss 0.01

    Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, uses hard coded credentials. Access to the device's default telnet port (23) can be obtained through using one of a few default credentials shared among all devices.

  • CVE-2016-3953CriFeb 6, 2018
    risk 0.57cvss 9.8epss 0.03

    The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.

  • CVE-2017-2280HigAug 2, 2017
    risk 0.57cvss 8.8epss 0.01

    WN-AX1167GR firmware version 3.00 and earlier uses hardcoded credentials which may allow an attacker that can access the device to execute arbitrary code on the device.

  • CVE-2017-9488HigJul 31, 2017
    risk 0.57cvss 8.8epss 0.01

    The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) and DPC3941T (firmware version DPC3941_2.5s3_PROD_sey) devices allows remote attackers to access the web UI by establishing a session to the wan0 WAN IPv6 address and then…

  • CVE-2016-9013CriDec 9, 2016
    risk 0.57cvss 9.8epss 0.05

    Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging…

  • CVE-2012-3503CriAug 25, 2012
    risk 0.57cvss 9.8epss 0.03

    The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web…

  • CVE-2026-22312HigJun 16, 2026
    risk 0.56cvss 8.6epss 0.00

    The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).

  • CVE-2025-10681HigApr 3, 2026
    risk 0.56cvss 8.6epss 0.00

    Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.

  • CVE-2025-44643HigAug 4, 2025
    risk 0.56cvss 8.6epss 0.00

    Certain Draytek products are affected by Insecure Configuration. This affects AP903 v1.4.18 and AP912C v1.4.9 and AP918R v1.4.9. The setting of the password property in the ripd.conf configuration file sets a hardcoded weak password, posing a security risk. An attacker with…

  • CVE-2025-4049HigJul 21, 2025
    risk 0.56cvss epss 0.00

    Use of hard-coded, the same among all vulnerable installations SQLite credentials vulnerability in SIGNUM-NET FARA allows to read and manipulate local-stored database.This issue affects FARA: through 5.0.80.34.

  • CVE-2023-26566HigMay 14, 2024
    risk 0.56cvss 8.6epss 0.01

    Sangoma FreePBX 1805 through 2203 on Linux contains hardcoded credentials for the Asterisk REST Interface (ARI), which allows remote attackers to reconfigure Asterisk and make external and internal calls via HTTP and WebSocket requests sent to the API.

  • CVE-2017-6351HigMar 6, 2017
    risk 0.56cvss 8.1epss 0.07

    The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode, an attacker can connect to the device using the telnet protocol and log into the device with the 'abarco' hardcoded…

  • CVE-2017-5167HigFeb 13, 2017
    risk 0.56cvss 8.6epss 0.01

    An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. Users do not have any option to change their own passwords.

  • CVE-2016-8361HigFeb 13, 2017
    risk 0.56cvss 8.6epss 0.02

    An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application uses a hard-coded username with no password allowing an attacker into the system without authentication.

  • CVE-2025-59107HigJan 26, 2026
    risk 0.55cvss epss 0.00

    Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP and extract the firmware is set…

  • CVE-2025-14115HigJan 20, 2026
    risk 0.55cvss 8.4epss 0.00

    IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound…

  • CVE-2025-14096HigDec 17, 2025
    risk 0.55cvss 8.4epss 0.00

    A vulnerability exists in multiple Radiometer products that allow an attacker with physical access to the analyzer possibility to extract credential information. The vulnerability is due to a weakness in the design and insufficient credential protection in operating system. …

  • CVE-2025-55047HigSep 9, 2025
    risk 0.55cvss 8.4epss 0.00

    CWE-798 Use of Hard-coded Credentials