VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 15 of 28
  • CVE-2025-1143HigFeb 11, 2025
    risk 0.55cvss 8.4epss 0.00

    Certain models of routers from Billion Electric has hard-coded embedded linux credentials, allowing attackers to log in through the SSH service using these credentials and obtain root privilege of the system.

  • CVE-2024-28146HigDec 12, 2024
    risk 0.55cvss 8.4epss 0.00

    The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database server of the affected device.

  • CVE-2018-0141HigMar 8, 2018
    risk 0.55cvss 8.4epss 0.00

    A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software 11.6 could allow an unauthenticated, local attacker to log in to the underlying Linux operating system. The vulnerability is due to a hard-coded account password on the system. An attacker could exploit…

  • CVE-2026-42929HigMay 29, 2026
    risk 0.54cvss 8.3epss 0.00

    Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials.

  • CVE-2026-44825HigJun 1, 2026
    risk 0.53cvss 8.1epss 0.01

    Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently…

  • CVE-2025-35940HigJun 10, 2025
    risk 0.53cvss 8.1epss 0.00

    The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints.

  • CVE-2024-9334HigFeb 27, 2025
    risk 0.53cvss 8.2epss 0.00

    Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass. This issue affects Pallium Vehicle Tracking: before 17.10.2024.

  • CVE-2022-34151HigJul 4, 2022
    risk 0.53cvss 8.1epss 0.01

    Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation…

  • CVE-2016-0235HigMar 12, 2018
    risk 0.53cvss 8.2epss 0.00

    IBM Security Guardium Database Activity Monitor 10 allows local users to have unspecified impact by leveraging administrator access to a hardcoded password, related to use on GRUB systems. IBM X-Force ID: 110326.

  • CVE-2017-12724HigFeb 15, 2018
    risk 0.53cvss 8.1epss 0.01

    A Use of Hard-coded Credentials issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the…

  • CVE-2017-12350HigNov 16, 2017
    risk 0.53cvss 8.2epss 0.00

    A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and earlier could allow an authenticated, local attacker to log in to an affected virtual appliance with root privileges. The vulnerability is due to the presence of default, static user credentials for an…

  • CVE-2017-14116HigSep 3, 2017
    risk 0.53cvss 8.1epss 0.03

    The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a…

  • CVE-2017-14115HigSep 3, 2017
    risk 0.53cvss 8.1epss 0.04

    The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures ssh-permanent-enable WAN SSH logins to the remotessh account with the 5SaP9I26 password, which allows remote attackers to access a "Terminal shell v1.0"…

  • CVE-2017-7648HigApr 10, 2017
    risk 0.53cvss 8.1epss 0.02

    Foscam networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.

  • CVE-2016-10125HigJan 9, 2017
    risk 0.53cvss 8.1epss 0.01

    D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session.

  • CVE-2026-48031criJun 10, 2026
    risk 0.52cvss epss 0.00

    ## Vulnerability: CWE-798 — Hardcoded JWT Secret + Broken Mitigation ### Affected Component - `github.com/dhax/go-base` — Go REST API boilerplate (go-chi/jwtauth/v5, Viper, PostgreSQL/Bun) - 1,685 stars on GitHub ### Vulnerability Locations | File | Line | Role |…

  • CVE-2026-47410criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary **Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `"dev-secret-change-me"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != "dev"`; the default value of `PLATFORM_ENV`…

  • CVE-2025-57578HigSep 12, 2025
    risk 0.52cvss 8.0epss 0.00

    An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password

  • CVE-2025-57577HigSep 12, 2025
    risk 0.52cvss 8.0epss 0.01

    An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. NOTE: the Supplier's position is that their "product lines enforce or clearly prompt users to change any initial credentials upon first use. At most, this would be a…

  • CVE-2025-27255HigMar 10, 2025
    risk 0.52cvss 8.0epss 0.00

    Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code.