VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 19 of 28
  • CVE-2017-13106HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.01

    Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.

  • CVE-2017-13104HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.01

    Uber Technologies, Inc. UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.

  • CVE-2017-13102HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.01

    Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.

  • CVE-2017-13101HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.01

    Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.

  • CVE-2017-13100HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.01

    DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.

  • CVE-2018-9068HigJul 26, 2018
    risk 0.49cvss 7.5epss 0.01

    The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier…

  • CVE-2018-10167HigMay 3, 2018
    risk 0.49cvss 7.5epss 0.01

    The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify…

  • CVE-2018-5797HigFeb 5, 2018
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is an Smint_encrypt Hardcoded AES Key that can be used for packet decryption (obtaining cleartext credentials) by an attacker who has access to a wired port.

  • CVE-2017-15582HigOct 27, 2017
    risk 0.49cvss 7.5epss 0.01

    In net.MCrypt in the "Diary with lock" (aka WriteDiary) application 4.72 for Android, hardcoded SecretKey and iv variables are used for the AES parameters, which makes it easier for attackers to obtain the cleartext of stored diary entries.

  • CVE-2017-14422HigSep 13, 2017
    risk 0.49cvss 7.5epss 0.01

    D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices use the same hardcoded /etc/stunnel.key private key across different customers' installations, which allows remote attackers to defeat the HTTPS…

  • CVE-2016-5816HigAug 25, 2017
    risk 0.49cvss 7.5epss 0.02

    A Use of Hard-Coded Cryptographic Key issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded private cryptographic keys that may allow an attacker to decrypt traffic from any…

  • CVE-2017-9132HigMay 21, 2017
    risk 0.49cvss 7.5epss 0.01

    A hard-coded credentials issue was discovered on Mimosa Client Radios before 2.2.3, Mimosa Backhaul Radios before 2.2.3, and Mimosa Access Points before 2.2.3. These devices run Mosquitto, a lightweight message broker, to send information between devices. By using the vendor's…

  • CVE-2017-6054HigApr 26, 2017
    risk 0.49cvss 7.5epss 0.02

    A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information.

  • CVE-2017-8077HigApr 23, 2017
    risk 0.49cvss 7.5epss 0.01

    On the TP-Link TL-SG108E 1.0, there is a hard-coded ciphering key (a long string beginning with Ei2HNryt). This affects the 1.1.2 Build 20141017 Rel.50749 firmware.

  • CVE-2016-8754HigApr 2, 2017
    risk 0.49cvss 7.5epss 0.00

    Huawei OceanStor 5600 V3 V300R003C00 has a hardcoded SSH key vulnerability; the hardcoded keys are used to encrypt communication data and authenticate different nodes of the devices. An attacker may obtain the hardcoded keys and log in to such a device through SSH.

  • CVE-2016-10179HigJan 30, 2017
    risk 0.49cvss 7.5epss 0.05

    An issue was discovered on the D-Link DWR-932B router. There is a hardcoded WPS PIN of 28296607.

  • CVE-2010-2073HigJun 16, 2010
    risk 0.49cvss 7.5epss 0.02

    auth_db_config.py in Pyftpd 0.8.4 contains hard-coded usernames and passwords for the (1) test, (2) user, and (3) roxon accounts, which allows remote attackers to read arbitrary files from the FTP server.

  • CVE-2005-3803HigNov 24, 2005
    risk 0.49cvss 7.5epss 0.02

    Cisco IP Phone (VoIP) 7920 1.0(8) contains certain hard-coded ("fixed") public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information.

  • CVE-2005-3716HigNov 21, 2005
    risk 0.49cvss 7.5epss 0.02

    The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information.

  • CVE-2025-1724HigMar 17, 2025
    risk 0.48cvss 7.4epss 0.01

    Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token.