CWE-798
Use of Hard-coded Credentials
Description
The product contains hard-coded credentials, such as a password or cryptographic key.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-191 · CAPEC-70
CVEs mapped to this weakness (556)
page 18 of 28| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-41722 | Hig | 0.49 | 7.5 | 0.00 | Oct 22, 2025 | The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices. | ||
| CVE-2025-7342 | Hig | 0.49 | 7.5 | 0.00 | Aug 17, 2025 | A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build.… | ||
| CVE-2025-4130 | Hig | 0.49 | 7.5 | 0.00 | Jul 21, 2025 | Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable. This issue affects PAVO Pay: before 13.05.2025. | ||
| CVE-2025-52492 | Hig | 0.49 | 7.5 | 0.00 | Jul 7, 2025 | A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the… | ||
| CVE-2025-30118 | Hig | 0.49 | 7.5 | 0.00 | Mar 25, 2025 | An issue was discovered on the Audi Universal Traffic Recorder 2.88. It has Susceptibility to denial of service. It uses the same default credentials for all devices and does not implement proper multi-device authentication, allowing attackers to deny the owner access by… | ||
| CVE-2025-2343 | Hig | 0.49 | 7.5 | 0.00 | Mar 16, 2025 | A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is… | ||
| CVE-2024-54749 | Hig | 0.49 | 7.5 | 0.00 | Dec 6, 2024 | Ubiquiti U7-Pro 7.0.35 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: this is disputed by the Supplier because the observation only established that a password is present in a firmware image; however,… | ||
| CVE-2024-33329 | Hig | 0.49 | 7.5 | 0.01 | Jun 26, 2024 | A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information. | ||
| CVE-2024-36496 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 24, 2024 | The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five… | |
| CVE-2024-32988 | — | Hig | 0.49 | 7.5 | 0.00 | May 22, 2024 | 'OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App for iOS versions 2.1.7 to 2.6.14 use a hard-coded secret key for JWT. Secret key for JWT may be retrieved if the application binary is reverse-engineered. | |
| CVE-2024-4844 | Hig | 0.49 | 7.5 | 0.00 | May 16, 2024 | Hardcoded credentials vulnerability in Trellix ePolicy Orchestrator (ePO) on Premise prior to 5.10 Service Pack 1 Update 2 allows an attacker with admin privileges on the ePO server to read the contents of the orion.keystore file, allowing them to access the ePO database… | ||
| CVE-2023-6255 | Hig | 0.49 | 7.5 | 0.00 | Feb 15, 2024 | Use of Hard-coded Credentials vulnerability in Utarit Information Technologies SoliPay Mobile App allows Read Sensitive Strings Within an Executable. This issue affects SoliPay Mobile App: before 5.0.8. | ||
| CVE-2018-15753 | Hig | 0.49 | 7.5 | 0.01 | Oct 2, 2018 | An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. The use of a Hard-coded DES Cryptographic Key allows an attacker who decodes the application to decrypt transmitted data such as the login username and password. | ||
| CVE-2018-17217 | Hig | 0.49 | 7.5 | 0.01 | Oct 1, 2018 | An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is a hardcoded encryption key. | ||
| CVE-2018-14901 | Hig | 0.49 | 7.5 | 0.01 | Aug 30, 2018 | The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services. | ||
| CVE-2018-13820 | Hig | 0.49 | 7.5 | 0.01 | Aug 30, 2018 | A hardcoded passphrase, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information. | ||
| CVE-2018-13819 | Hig | 0.49 | 7.5 | 0.01 | Aug 30, 2018 | A hardcoded secret key, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information. | ||
| CVE-2018-15491 | Hig | 0.49 | 7.5 | 0.01 | Aug 18, 2018 | A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized… | ||
| CVE-2017-13108 | Hig | 0.49 | 7.5 | 0.01 | Aug 15, 2018 | DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. | ||
| CVE-2017-13107 | Hig | 0.49 | 7.5 | 0.01 | Aug 15, 2018 | Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. |
- risk 0.49cvss 7.5epss 0.00
The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.
- risk 0.49cvss 7.5epss 0.00
A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build.…
- risk 0.49cvss 7.5epss 0.00
Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable. This issue affects PAVO Pay: before 13.05.2025.
- risk 0.49cvss 7.5epss 0.00
A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the…
- risk 0.49cvss 7.5epss 0.00
An issue was discovered on the Audi Universal Traffic Recorder 2.88. It has Susceptibility to denial of service. It uses the same default credentials for all devices and does not implement proper multi-device authentication, allowing attackers to deny the owner access by…
- risk 0.49cvss 7.5epss 0.00
A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is…
- risk 0.49cvss 7.5epss 0.00
Ubiquiti U7-Pro 7.0.35 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: this is disputed by the Supplier because the observation only established that a password is present in a firmware image; however,…
- risk 0.49cvss 7.5epss 0.01
A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information.
- risk 0.49cvss 7.5epss 0.01
The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five…
- risk 0.49cvss 7.5epss 0.00
'OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App for iOS versions 2.1.7 to 2.6.14 use a hard-coded secret key for JWT. Secret key for JWT may be retrieved if the application binary is reverse-engineered.
- risk 0.49cvss 7.5epss 0.00
Hardcoded credentials vulnerability in Trellix ePolicy Orchestrator (ePO) on Premise prior to 5.10 Service Pack 1 Update 2 allows an attacker with admin privileges on the ePO server to read the contents of the orion.keystore file, allowing them to access the ePO database…
- risk 0.49cvss 7.5epss 0.00
Use of Hard-coded Credentials vulnerability in Utarit Information Technologies SoliPay Mobile App allows Read Sensitive Strings Within an Executable. This issue affects SoliPay Mobile App: before 5.0.8.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. The use of a Hard-coded DES Cryptographic Key allows an attacker who decodes the application to decrypt transmitted data such as the login username and password.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is a hardcoded encryption key.
- risk 0.49cvss 7.5epss 0.01
The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services.
- risk 0.49cvss 7.5epss 0.01
A hardcoded passphrase, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information.
- risk 0.49cvss 7.5epss 0.01
A hardcoded secret key, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information.
- risk 0.49cvss 7.5epss 0.01
A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized…
- risk 0.49cvss 7.5epss 0.01
DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
- risk 0.49cvss 7.5epss 0.01
Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.