VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 3 of 28
  • CVE-2026-45039CriMay 28, 2026
    risk 0.64cvss 9.8epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in…

  • CVE-2026-24444CriMay 28, 2026
    risk 0.64cvss 9.8epss 0.01

    SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that allows unauthenticated attackers to gain root access by submitting the hardcoded…

  • CVE-2026-9139CriMay 20, 2026
    risk 0.64cvss 9.8epss 0.00

    Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the…

  • CVE-2026-8605CriMay 19, 2026
    risk 0.64cvss 9.8epss 0.00

    In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

  • CVE-2026-40636CriMay 11, 2026
    risk 0.64cvss 9.8epss 0.00

    Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains a use of hard-coded credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to filesystem access for…

  • CVE-2026-7414CriMay 7, 2026
    risk 0.64cvss 9.8epss 0.01

    Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management…

  • CVE-2026-42376CriMay 4, 2026
    risk 0.64cvss 9.8epss 0.00

    D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username "Alphanetworks" and the static password "whdrv01_dlob_dir456U" read from…

  • CVE-2026-42375CriMay 4, 2026
    risk 0.64cvss 9.8epss 0.00

    D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The…

  • CVE-2026-42374CriMay 4, 2026
    risk 0.64cvss 9.8epss 0.00

    D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The…

  • CVE-2026-42373CriMay 4, 2026
    risk 0.64cvss 9.8epss 0.00

    D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn76_dlwbr_dir605L" read from /etc/alpha_config/image_sign.…

  • CVE-2026-41446CriApr 28, 2026
    risk 0.64cvss 9.8epss 0.00

    Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with…

  • CVE-2026-35503CriApr 24, 2026
    risk 0.64cvss 9.8epss 0.01

    A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page…

  • CVE-2026-23781CriApr 10, 2026
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API…

  • CVE-2017-20234CriApr 3, 2026
    risk 0.64cvss 9.8epss 0.00

    GarrettCom Magnum 6K and 10K managed switches contain an authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access by exploiting a hardcoded string in the authentication mechanism. Attackers can bypass login controls to access…

  • CVE-2025-9497CriMar 28, 2026
    risk 0.64cvss 9.8epss 0.00

    Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.

  • CVE-2016-20026CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.01

    ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives…

  • CVE-2026-24448CriMar 11, 2026
    risk 0.64cvss 9.8epss 0.00

    Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access.

  • CVE-2025-67304CriFeb 19, 2026
    risk 0.64cvss 9.8epss 0.00

    In Ruckus Network Director (RND) < 4.5.0.54, the OVA appliance contains hardcoded credentials for the ruckus PostgreSQL database user. In the default configuration, the PostgreSQL service is accessible over the network on TCP port 5432. An attacker can use the hardcoded…

  • CVE-2026-23647CriFeb 17, 2026
    risk 0.64cvss 9.8epss 0.01

    Glory RBG-100 recycler systems using the ISPK-08 software component contain hard-coded operating system credentials that allow remote authentication to the underlying Linux system. Multiple local user accounts, including accounts with administrative privileges, were found to…

  • CVE-2026-1221CriJan 20, 2026
    risk 0.64cvss 9.8epss 0.00

    PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware.