VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 2 of 28
  • CVE-2025-69425CriJan 9, 2026
    risk 0.65cvss epss 0.01

    The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static…

  • CVE-2025-42890CriNov 11, 2025
    risk 0.65cvss 10.0epss 0.01

    SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the…

  • CVE-2025-7503CriJul 11, 2025
    risk 0.65cvss epss 0.01

    An OEM IP camera manufactured by Shenzhen Liandian Communication Technology LTD exposes a Telnet service (port 23) with undocumented, default credentials. The Telnet service is enabled by default and is not disclosed or configurable via the device’s web interface or user…

  • CVE-2025-4378CriJun 24, 2025
    risk 0.65cvss 10.0epss 0.00

    Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass. This issue affects ATA-AOF Mobile Application: before 20.06.2025.

  • CVE-2025-25570CriFeb 27, 2025
    risk 0.65cvss 9.8epss 0.02

    Vue Vben Admin 2.10.1 allows unauthorized login to the backend due to an issue with hardcoded credentials.

  • CVE-2024-42450CriNov 19, 2024
    risk 0.65cvss 10.0epss 0.01

    The Versa Director uses PostgreSQL (Postgres) to store operational and configuration data. It is also needed for High Availability function of the Versa Director. The default configuration has a common password across all instances of Versa Director. By default, Versa Director…

  • CVE-2017-14728CriJun 3, 2019
    risk 0.65cvss 9.8epss 0.06

    An authentication bypass was found in an unknown area of the SiteOmat source code. All SiteOmat BOS versions are affected, prior to the submission of this exploit. Also, the SiteOmat does not force administrators to switch passwords, leaving SSH and HTTP remote authentication…

  • CVE-2018-0222CriMay 17, 2018
    risk 0.65cvss 10.0epss 0.04

    A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to log in to an affected system by using an administrative account that has default, static user credentials. The vulnerability is due to the presence of…

  • CVE-2016-9335CriMay 9, 2018
    risk 0.65cvss 10.0epss 0.02

    A hard-coded cryptographic key vulnerability was identified in Red Lion Controls Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and Stride-Managed Ethernet Switches running firmware Version 5.0.190. Vulnerable versions of Stride-Managed Ethernet switches and…

  • CVE-2018-1216CriMar 8, 2018
    risk 0.65cvss 9.8epss 0.22

    A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement): Dell EMC Unisphere for VMAX Virtual Appliance…

  • CVE-2017-8011CriJul 17, 2017
    risk 0.65cvss 9.8epss 0.14

    EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R for SAS Solution Packs (EMC ViPR SRM prior to 4.1, EMC Storage M&R prior to 4.1, EMC VNX M&R all versions, EMC M&R (Watch4Net) for SAS Solution Packs all versions) contain undocumented accounts with default passwords for…

  • CVE-2017-2343CriJul 17, 2017
    risk 0.65cvss 10.0epss 0.03

    The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of user profiles on top of the existing firewall polices. As part of an internal security review of the UserFW services…

  • CVE-2010-1573CriJun 10, 2010
    risk 0.65cvss 9.8epss 0.21

    Linksys WAP54Gv3 firmware 3.04.03 and earlier uses a hard-coded username (Gemtek) and password (gemtekswd) for a debug interface for certain web pages, which allows remote attackers to execute arbitrary commands via the (1) data1, (2) data2, or (3) data3 parameters to (a)…

  • CVE-2026-10557CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.00

    The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud…

  • CVE-2026-11849CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.00

    The  iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database.

  • CVE-2026-11414CriJun 5, 2026
    risk 0.64cvss 9.8epss 0.00

    A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and…

  • CVE-2025-71317CriJun 5, 2026
    risk 0.64cvss 9.8epss 0.00

    NetMan 204 contains a hard-coded backdoor account with the username and password 'eurek' that grants administrative access. A remote, unauthenticated attacker can authenticate through the cgi-bin/login.cgi endpoint (for example /cgi-bin/login.cgi?username=eurek&password=eurek,…

  • CVE-2026-7786CriMay 29, 2026
    risk 0.64cvss 9.8epss 0.00

    Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device…

  • CVE-2026-46376CriMay 29, 2026
    risk 0.64cvss 9.8epss 0.00

    FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP.…

  • CVE-2026-49201CriMay 29, 2026
    risk 0.64cvss 9.8epss 0.00

    The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection.