CWE-798
Use of Hard-coded Credentials
Description
The product contains hard-coded credentials, such as a password or cryptographic key.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-191 · CAPEC-70
CVEs mapped to this weakness (556)
page 15 of 28| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-1143 | — | Hig | 0.55 | 8.4 | 0.00 | Feb 11, 2025 | Certain models of routers from Billion Electric has hard-coded embedded linux credentials, allowing attackers to log in through the SSH service using these credentials and obtain root privilege of the system. | |
| CVE-2024-28146 | — | Hig | 0.55 | 8.4 | 0.00 | Dec 12, 2024 | The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database server of the affected device. | |
| CVE-2018-0141 | Hig | 0.55 | 8.4 | 0.00 | Mar 8, 2018 | A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software 11.6 could allow an unauthenticated, local attacker to log in to the underlying Linux operating system. The vulnerability is due to a hard-coded account password on the system. An attacker could exploit… | ||
| CVE-2026-42929 | Hig | 0.54 | 8.3 | 0.00 | May 29, 2026 | Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials. | ||
| CVE-2026-44825 | Hig | 0.53 | 8.1 | 0.01 | Jun 1, 2026 | Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently… | ||
| CVE-2025-35940 | — | Hig | 0.53 | 8.1 | 0.00 | Jun 10, 2025 | The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints. | |
| CVE-2024-9334 | Hig | 0.53 | 8.2 | 0.00 | Feb 27, 2025 | Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass. This issue affects Pallium Vehicle Tracking: before 17.10.2024. | ||
| CVE-2022-34151 | Hig | 0.53 | 8.1 | 0.01 | Jul 4, 2022 | Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation… | ||
| CVE-2016-0235 | Hig | 0.53 | 8.2 | 0.00 | Mar 12, 2018 | IBM Security Guardium Database Activity Monitor 10 allows local users to have unspecified impact by leveraging administrator access to a hardcoded password, related to use on GRUB systems. IBM X-Force ID: 110326. | ||
| CVE-2017-12724 | Hig | 0.53 | 8.1 | 0.01 | Feb 15, 2018 | A Use of Hard-coded Credentials issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the… | ||
| CVE-2017-12350 | Hig | 0.53 | 8.2 | 0.00 | Nov 16, 2017 | A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and earlier could allow an authenticated, local attacker to log in to an affected virtual appliance with root privileges. The vulnerability is due to the presence of default, static user credentials for an… | ||
| CVE-2017-14116 | Hig | 0.53 | 8.1 | 0.03 | Sep 3, 2017 | The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a… | ||
| CVE-2017-14115 | Hig | 0.53 | 8.1 | 0.04 | Sep 3, 2017 | The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures ssh-permanent-enable WAN SSH logins to the remotessh account with the 5SaP9I26 password, which allows remote attackers to access a "Terminal shell v1.0"… | ||
| CVE-2017-7648 | Hig | 0.53 | 8.1 | 0.02 | Apr 10, 2017 | Foscam networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation. | ||
| CVE-2016-10125 | Hig | 0.53 | 8.1 | 0.01 | Jan 9, 2017 | D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session. | ||
| CVE-2026-48031 | cri | 0.52 | — | 0.00 | Jun 10, 2026 | ## Vulnerability: CWE-798 — Hardcoded JWT Secret + Broken Mitigation ### Affected Component - `github.com/dhax/go-base` — Go REST API boilerplate (go-chi/jwtauth/v5, Viper, PostgreSQL/Bun) - 1,685 stars on GitHub ### Vulnerability Locations | File | Line | Role |… | ||
| CVE-2026-47410 | cri | 0.52 | — | 0.00 | May 29, 2026 | ## Summary **Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `"dev-secret-change-me"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != "dev"`; the default value of `PLATFORM_ENV`… | ||
| CVE-2025-57578 | — | Hig | 0.52 | 8.0 | 0.00 | Sep 12, 2025 | An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password | |
| CVE-2025-57577 | — | Hig | 0.52 | 8.0 | 0.01 | Sep 12, 2025 | An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. NOTE: the Supplier's position is that their "product lines enforce or clearly prompt users to change any initial credentials upon first use. At most, this would be a… | |
| CVE-2025-27255 | Hig | 0.52 | 8.0 | 0.00 | Mar 10, 2025 | Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code. |
- risk 0.55cvss 8.4epss 0.00
Certain models of routers from Billion Electric has hard-coded embedded linux credentials, allowing attackers to log in through the SSH service using these credentials and obtain root privilege of the system.
- risk 0.55cvss 8.4epss 0.00
The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database server of the affected device.
- risk 0.55cvss 8.4epss 0.00
A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software 11.6 could allow an unauthenticated, local attacker to log in to the underlying Linux operating system. The vulnerability is due to a hard-coded account password on the system. An attacker could exploit…
- risk 0.54cvss 8.3epss 0.00
Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials.
- risk 0.53cvss 8.1epss 0.01
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently…
- risk 0.53cvss 8.1epss 0.00
The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints.
- risk 0.53cvss 8.2epss 0.00
Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass. This issue affects Pallium Vehicle Tracking: before 17.10.2024.
- risk 0.53cvss 8.1epss 0.01
Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation…
- risk 0.53cvss 8.2epss 0.00
IBM Security Guardium Database Activity Monitor 10 allows local users to have unspecified impact by leveraging administrator access to a hardcoded password, related to use on GRUB systems. IBM X-Force ID: 110326.
- risk 0.53cvss 8.1epss 0.01
A Use of Hard-coded Credentials issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the…
- risk 0.53cvss 8.2epss 0.00
A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and earlier could allow an authenticated, local attacker to log in to an affected virtual appliance with root privileges. The vulnerability is due to the presence of default, static user credentials for an…
- risk 0.53cvss 8.1epss 0.03
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a…
- risk 0.53cvss 8.1epss 0.04
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures ssh-permanent-enable WAN SSH logins to the remotessh account with the 5SaP9I26 password, which allows remote attackers to access a "Terminal shell v1.0"…
- risk 0.53cvss 8.1epss 0.02
Foscam networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.
- risk 0.53cvss 8.1epss 0.01
D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session.
- risk 0.52cvss —epss 0.00
## Vulnerability: CWE-798 — Hardcoded JWT Secret + Broken Mitigation ### Affected Component - `github.com/dhax/go-base` — Go REST API boilerplate (go-chi/jwtauth/v5, Viper, PostgreSQL/Bun) - 1,685 stars on GitHub ### Vulnerability Locations | File | Line | Role |…
- risk 0.52cvss —epss 0.00
## Summary **Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `"dev-secret-change-me"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != "dev"`; the default value of `PLATFORM_ENV`…
- risk 0.52cvss 8.0epss 0.00
An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password
- risk 0.52cvss 8.0epss 0.01
An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. NOTE: the Supplier's position is that their "product lines enforce or clearly prompt users to change any initial credentials upon first use. At most, this would be a…
- risk 0.52cvss 8.0epss 0.00
Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code.