VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 17 of 28
  • CVE-2025-48413HigMay 21, 2025
    risk 0.50cvss 7.7epss 0.00

    The `/etc/passwd` and `/etc/shadow` files reveal hard-coded password hashes for the operating system "root" user. The credentials are shipped with the update files. There is no option for deleting or changing their passwords for an enduser. An attacker can use the credentials to…

  • CVE-2017-7927HigMay 6, 2017
    risk 0.50cvss 7.3epss 0.37

    A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX,…

  • CVE-2016-5645HigAug 24, 2016
    risk 0.50cvss 7.3epss 0.29

    Rockwell Automation MicroLogix 1400 PLC 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, and 1766-L32BXBA devices have a hardcoded SNMP community, which makes it easier for remote attackers to load arbitrary firmware updates by leveraging knowledge of this…

  • CVE-2026-50213HigJun 4, 2026
    risk 0.49cvss 7.5epss 0.00

    The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings.

  • CVE-2019-25722HigJun 2, 2026
    risk 0.49cvss 7.6epss 0.00

    Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain hard-coded plaintext credentials in source code and a denial-of-service vulnerability that allows local and remote attackers to compromise device integrity across all software versions. A…

  • CVE-2020-37220HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can query the /api/system/deviceinfo endpoint without authentication to extract the…

  • CVE-2026-33893HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.00

    A vulnerability has been identified in Teamcenter V2312 (All versions < V2312.0014), Teamcenter V2406 (All versions < V2406.0012), Teamcenter V2412 (All versions < V2412.0009), Teamcenter V2506 (All versions < V2506.0005), Teamcenter V2512 (All versions). The affected…

  • CVE-2024-46508HigMay 8, 2026
    risk 0.49cvss 7.5epss 0.00

    yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).

  • CVE-2026-32834HigMay 4, 2026
    risk 0.49cvss 7.5epss 0.00

    Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter.…

  • CVE-2026-27073HigMar 25, 2026
    risk 0.49cvss 7.5epss 0.00

    Use of Hard-coded Credentials vulnerability in Addi Addi – Cuotas que se adaptan a ti buy-now-pay-later-addi allows Password Recovery Exploitation.This issue affects Addi – Cuotas que se adaptan a ti: from n/a through <= 2.0.4.

  • CVE-2019-25470HigMar 11, 2026
    risk 0.49cvss 7.5epss 0.00

    eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded…

  • CVE-2019-25322HigFeb 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields.

  • CVE-2020-37135HigFeb 7, 2026
    risk 0.49cvss 7.5epss 0.00

    AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system.

  • CVE-2020-37092HigFeb 3, 2026
    risk 0.49cvss 7.5epss 0.00

    Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to…

  • CVE-2019-25291HigJan 8, 2026
    risk 0.49cvss 7.5epss 0.00

    INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across…

  • CVE-2017-20214HigJan 8, 2026
    risk 0.49cvss 7.5epss 0.00

    FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system.

  • CVE-2020-36915HigJan 6, 2026
    risk 0.49cvss 7.5epss 0.00

    Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands…

  • CVE-2021-47744HigDec 31, 2025
    risk 0.49cvss 7.5epss 0.00

    Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices.

  • CVE-2025-7358HigDec 18, 2025
    risk 0.49cvss 7.5epss 0.00

    Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse. This issue affects SoliClub: before 5.3.7.

  • CVE-2025-1029HigDec 18, 2025
    risk 0.49cvss 7.5epss 0.00

    Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable. This issue affects SoliClub: from 5.2.4 before 5.3.7.