VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 18 of 28
  • CVE-2025-41722HigOct 22, 2025
    risk 0.49cvss 7.5epss 0.00

    The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.

  • CVE-2025-7342HigAug 17, 2025
    risk 0.49cvss 7.5epss 0.00

    A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build.…

  • CVE-2025-4130HigJul 21, 2025
    risk 0.49cvss 7.5epss 0.00

    Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable. This issue affects PAVO Pay: before 13.05.2025.

  • CVE-2025-52492HigJul 7, 2025
    risk 0.49cvss 7.5epss 0.00

    A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the…

  • CVE-2025-30118HigMar 25, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered on the Audi Universal Traffic Recorder 2.88. It has Susceptibility to denial of service. It uses the same default credentials for all devices and does not implement proper multi-device authentication, allowing attackers to deny the owner access by…

  • CVE-2025-2343HigMar 16, 2025
    risk 0.49cvss 7.5epss 0.00

    A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is…

  • CVE-2024-54749HigDec 6, 2024
    risk 0.49cvss 7.5epss 0.00

    Ubiquiti U7-Pro 7.0.35 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: this is disputed by the Supplier because the observation only established that a password is present in a firmware image; however,…

  • CVE-2024-33329HigJun 26, 2024
    risk 0.49cvss 7.5epss 0.01

    A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information.

  • CVE-2024-36496HigJun 24, 2024
    risk 0.49cvss 7.5epss 0.01

    The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five…

  • CVE-2024-32988HigMay 22, 2024
    risk 0.49cvss 7.5epss 0.00

    'OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App for iOS versions 2.1.7 to 2.6.14 use a hard-coded secret key for JWT. Secret key for JWT may be retrieved if the application binary is reverse-engineered.

  • CVE-2024-4844HigMay 16, 2024
    risk 0.49cvss 7.5epss 0.00

    Hardcoded credentials vulnerability in Trellix ePolicy Orchestrator (ePO) on Premise prior to 5.10 Service Pack 1 Update 2 allows an attacker with admin privileges on the ePO server to read the contents of the orion.keystore file, allowing them to access the ePO database…

  • CVE-2023-6255HigFeb 15, 2024
    risk 0.49cvss 7.5epss 0.00

    Use of Hard-coded Credentials vulnerability in Utarit Information Technologies SoliPay Mobile App allows Read Sensitive Strings Within an Executable. This issue affects SoliPay Mobile App: before 5.0.8.

  • CVE-2018-15753HigOct 2, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. The use of a Hard-coded DES Cryptographic Key allows an attacker who decodes the application to decrypt transmitted data such as the login username and password.

  • CVE-2018-17217HigOct 1, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is a hardcoded encryption key.

  • CVE-2018-14901HigAug 30, 2018
    risk 0.49cvss 7.5epss 0.01

    The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services.

  • CVE-2018-13820HigAug 30, 2018
    risk 0.49cvss 7.5epss 0.01

    A hardcoded passphrase, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information.

  • CVE-2018-13819HigAug 30, 2018
    risk 0.49cvss 7.5epss 0.01

    A hardcoded secret key, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information.

  • CVE-2018-15491HigAug 18, 2018
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized…

  • CVE-2017-13108HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.01

    DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.

  • CVE-2017-13107HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.01

    Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.