VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 23 of 28
  • CVE-2025-0642MedOct 2, 2025
    risk 0.41cvss 6.3epss 0.00

    Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass. This issue affects Assist: through 10.02.2025.

  • CVE-2025-55449HigMay 8, 2026
    risk 0.40cvss 7.3epss 0.00

    AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

  • CVE-2025-41380MedMay 23, 2025
    risk 0.40cvss epss 0.00

    Iridium Certus 700 version 1.0.1 has an embedded credentials vulnerability in the code. This vulnerability allows a local user to retrieve the SSH hash string.

  • CVE-2024-27161MedJun 14, 2024
    risk 0.40cvss 6.2epss 0.00

    all the Toshiba printers have programs containing a hardcoded key used to encrypt files. An attacker can decrypt the encrypted files using the hardcoded key. Insecure algorithm is used for the encryption. This vulnerability can be executed in combination with other…

  • CVE-2024-27160MedJun 14, 2024
    risk 0.40cvss 6.2epss 0.00

    All the Toshiba printers contain a shell script using the same hardcoded key to encrypt logs. An attacker can decrypt the encrypted files using the hardcoded key. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So,…

  • CVE-2024-27159MedJun 14, 2024
    risk 0.40cvss 6.2epss 0.00

    All the Toshiba printers contain a shell script using the same hardcoded key to encrypt logs. An attacker can decrypt the encrypted files using the hardcoded key. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So,…

  • CVE-2022-23650HigFeb 18, 2022
    risk 0.40cvss 7.2epss 0.02

    Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know…

  • CVE-2018-14801MedAug 22, 2018
    risk 0.40cvss 6.2epss 0.00

    In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all versions prior to May 2018, an attacker with both the superuser password and physical access can enter the superuser password that can be used to access and modify all settings on the device, as well as allow…

  • CVE-2026-47255higMay 29, 2026
    risk 0.39cvss epss 0.00

    The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL;…

  • CVE-2025-37112MedJul 31, 2025
    risk 0.39cvss 6.0epss 0.00

    A vulnerability was discovered in the storage policy for certain sets of encryption keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information.

  • CVE-2025-37111MedJul 31, 2025
    risk 0.39cvss 6.0epss 0.00

    A vulnerability was discovered in the storage policy for certain sets of authentication keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information.

  • CVE-2026-36616MedJun 3, 2026
    risk 0.38cvss 5.9epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.

  • CVE-2025-10609MedOct 3, 2025
    risk 0.38cvss 5.9epss 0.00

    Use of Hard-coded Credentials vulnerability in Logo Software Inc. TigerWings ERP allows Read Sensitive Constants Within an Executable. This issue affects TigerWings ERP: from 01.01.00 before 3.03.00.

  • CVE-2018-1742MedOct 8, 2018
    risk 0.38cvss 5.9epss 0.00

    IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 148421.

  • CVE-2018-16546MedSep 5, 2018
    risk 0.38cvss 5.9epss 0.01

    Amcrest networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation, as demonstrated by…

  • CVE-2018-12240MedAug 29, 2018
    risk 0.38cvss 5.9epss 0.01

    The Norton Identity Safe product prior to 5.3.0.976 may be susceptible to a privilege escalation issue via a hard coded IV, which is a type of vulnerability that can potentially increase the likelihood of encrypted data being recovered without adequate credentials.

  • CVE-2024-3130MedApr 1, 2024
    risk 0.37cvss 5.7epss 0.00

    Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app

  • CVE-2026-6578MedApr 19, 2026
    risk 0.36cvss 5.6epss 0.00

    A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard-coded credentials. The attack can be…

  • CVE-2016-20031MedMar 16, 2026
    risk 0.36cvss 5.5epss 0.00

    ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback…

  • CVE-2025-23179MedApr 29, 2025
    risk 0.36cvss 5.5epss 0.00

    CWE-798: Use of Hard-coded Credentials