VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 16 of 28
  • CVE-2023-49224HigJun 7, 2024
    risk 0.52cvss 8.0epss 0.00

    Precor touchscreen console P62, P80, and P82 contains a default SSH public key in the authorized_keys file. A remote attacker could use this key to gain root privileges.

  • CVE-2018-5725HigJan 16, 2018
    risk 0.52cvss 7.5epss 0.05

    MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Change, as demonstrated by the port number of the web server.

  • CVE-2017-2283HigAug 2, 2017
    risk 0.52cvss 8.0epss 0.01

    WN-G300R3 firmware version 1.0.2 and earlier uses hardcoded credentials which may allow an attacker that can access the device to execute arbitrary code on the device.

  • CVE-2025-15371HigDec 31, 2025
    risk 0.51cvss 7.8epss 0.00

    A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be…

  • CVE-2025-9380HigAug 24, 2025
    risk 0.51cvss 7.8epss 0.00

    A vulnerability was identified in FNKvision Y215 CCTV Camera 10.194.120.40. Affected by this issue is some unknown functionality of the file /etc/passwd of the component Firmware. Such manipulation leads to hard-coded credentials. Local access is required to approach this…

  • CVE-2025-7564HigJul 14, 2025
    risk 0.51cvss 7.8epss 0.00

    A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC3600 1.0.22. Affected by this issue is some unknown functionality of the file /etc/shadow. The manipulation with the input root:blinkadmin leads to hard-coded credentials. Local access is required…

  • CVE-2024-50593HigNov 8, 2024
    risk 0.51cvss 7.8epss 0.00

    An attacker with local access to the medical office computer can access restricted functions of the Elefant Service tool by using a hard-coded "Hotline" password in the Elefant service binary, which is shipped with the software.

  • CVE-2023-49221HigJun 7, 2024
    risk 0.51cvss 7.8epss 0.00

    Precor touchscreen console P62, P80, and P82 could allow a remote attacker (within the local network) to bypass security restrictions, and access the service menu, because there is a hard-coded service code.

  • CVE-2018-8857HigMay 4, 2018
    risk 0.51cvss 7.8epss 0.00

    Philips Brilliance CT software (Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior) contains fixed credentials, such as a password or cryptographic key, which it…

  • CVE-2018-1206HigMar 12, 2018
    risk 0.51cvss 7.8epss 0.00

    Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is "apollosuperuser." An attacker with local access to…

  • CVE-2017-3762HigJan 26, 2018
    risk 0.51cvss 7.8epss 0.00

    Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local…

  • CVE-2017-11026HigNov 16, 2017
    risk 0.51cvss 7.8epss 0.00

    In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing FRP partition using reference FRP unlock, authentication method can be compromised for static keys.

  • CVE-2017-14376HigNov 1, 2017
    risk 0.51cvss 7.8epss 0.00

    EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system.

  • CVE-2017-14428HigSep 13, 2017
    risk 0.51cvss 7.8epss 0.00

    D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/hostapd* permissions.

  • CVE-2017-14426HigSep 13, 2017
    risk 0.51cvss 7.8epss 0.00

    D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0644 /var/etc/shadow (aka the /etc/shadow symlink target) permissions.

  • CVE-2016-2948HigNov 30, 2016
    risk 0.51cvss 7.8epss 0.00

    IBM BigFix Remote Control before 9.1.3 allows local users to discover hardcoded credentials via unspecified vectors.

  • CVE-2010-2772HigJul 22, 2010
    risk 0.51cvss 7.8epss 0.01

    Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which allows local users to access a back-end database and gain privileges, as demonstrated in the wild in July 2010 by the Stuxnet worm, a different vulnerability than CVE-2010-2568.

  • CVE-2006-7142HigMar 7, 2007
    risk 0.51cvss 7.8epss 0.00

    The centralized management feature for Utimaco Safeguard stores hard-coded cryptographic keys in executable programs for encrypted configuration files, which allows attackers to recover the keys from the configuration files and decrypt the disk drive.

  • CVE-2025-54872HigAug 6, 2025
    risk 0.50cvss epss 0.00

    onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image,…

  • CVE-2025-4569HigJul 21, 2025
    risk 0.50cvss epss 0.00

    An insecure sensitive key storage issue was found in MyASUS. potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services. Refer to the 'Security Update for for MyASUS' section on the ASUS Security Advisory for more…