CWE-798
Use of Hard-coded Credentials
BaseDraftLikelihood: High
Description
The product contains hard-coded credentials, such as a password or cryptographic key.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-191 · CAPEC-70
CVEs mapped to this weakness (354)
page 4 of 18| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-1393 | Cri | 0.64 | 9.8 | 0.01 | Mar 5, 2025 | An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product. | |
| CVE-2024-57040 | Cri | 0.64 | 9.8 | 0.06 | Feb 26, 2025 | TP-Link TL-WR845N devices with firmware TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 was discovered to contain a hardcoded password for the root account which can be obtained by analyzing downloaded firmware or via a brute force attack through physical access to the router. NOTE: The supplier has stated that this issue was fixed in firmware versions 250401 or later. | |
| CVE-2025-26410 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2025 | The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface. The backdoor user has been removed in firmware BSP >= 6.4.1. | |
| CVE-2024-48126 | Cri | 0.64 | 9.8 | 0.00 | Jan 15, 2025 | HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access. | |
| CVE-2024-4996 | Cri | 0.64 | 9.8 | 0.00 | Dec 18, 2024 | Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop versions before 8.90.0. | |
| CVE-2024-54750 | Cri | 0.64 | 9.8 | 0.00 | Dec 6, 2024 | Ubiquiti U6-LR 6.6.65 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: In Ubiquiti's view there is no vulnerability as the Hardcoded Password should be after setup not before. | |
| CVE-2024-48539 | Cri | 0.64 | 9.8 | 0.00 | Oct 24, 2024 | Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism. | |
| CVE-2024-28747 | Cri | 0.64 | 9.8 | 0.01 | Jul 9, 2024 | An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges. | |
| CVE-2024-39208 | Cri | 0.64 | 9.8 | 0.00 | Jun 27, 2024 | luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials. | |
| CVE-2024-0949 | Cri | 0.64 | 9.8 | 0.00 | Jun 27, 2024 | Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | |
| CVE-2024-36480 | Cri | 0.64 | 9.8 | 0.00 | Jun 19, 2024 | Use of hard-coded credentials issue exists in Ricoh Streamline NX PC Client ver.3.7.2 and earlier. If this vulnerability is exploited, an attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, unintended operations may be performed on the PC. | |
| CVE-2024-5514 | Cri | 0.64 | 9.8 | 0.00 | May 30, 2024 | MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs. | |
| CVE-2024-2161 | Cri | 0.64 | 9.8 | 0.00 | Mar 21, 2024 | Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 . | |
| CVE-2017-17107 | Cri | 0.64 | 9.8 | 0.04 | Dec 19, 2017 | Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session. | |
| CVE-2017-3186 | Cri | 0.64 | 9.8 | 0.10 | Dec 16, 2017 | ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC use non-random default credentials across all devices. A remote attacker can take complete control of a device using default admin credentials. | |
| CVE-2017-14374 | Cri | 0.64 | 9.8 | 0.01 | Dec 6, 2017 | The SMI-S service in Dell Storage Manager versions earlier than 16.3.20 (aka 2016 R3.20) is protected using a hard-coded password. A remote user with the knowledge of the password might potentially disable the SMI-S service via HTTP requests, affecting storage management and monitoring functionality via the SMI-S interface. This issue, aka DSM-30415, only affects a Windows installation of the Data Collector (not applicable to the virtual appliance). | |
| CVE-2017-14027 | Cri | 0.64 | 9.8 | 0.00 | Nov 1, 2017 | A Use of Hard-coded Credentials issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. The software uses undocumented hard-coded credentials that may allow an attacker to gain remote access. | |
| CVE-2017-14021 | Cri | 0.64 | 9.8 | 0.00 | Nov 1, 2017 | A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. An attacker may gain access to hard-coded certificates and private keys allowing the attacker to perform man-in-the-middle attacks. | |
| CVE-2017-15909 | Cri | 0.64 | 9.8 | 0.01 | Oct 26, 2017 | D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, which allows remote attackers to obtain shell access. | |
| CVE-2017-12860 | Cri | 0.64 | 9.8 | 0.03 | Oct 10, 2017 | The Epson "EasyMP" software is designed to remotely stream a users computer to supporting projectors.These devices are authenticated using a unique 4-digit code, displayed on-screen - ensuring only those who can view it are streaming.In addition to the password, each projector has a hardcoded "backdoor" code (2270), which authenticates to all devices. |