CWE-798
Use of Hard-coded Credentials
Description
The product contains hard-coded credentials, such as a password or cryptographic key.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-191 · CAPEC-70
CVEs mapped to this weakness (556)
page 4 of 28| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-47796 | Cri | 0.64 | 9.8 | 0.01 | Jan 16, 2026 | Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system. | ||
| CVE-2025-6950 | Cri | 0.64 | — | 0.01 | Oct 17, 2025 | An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated… | ||
| CVE-2025-10850 | — | Cri | 0.64 | 9.8 | 0.01 | Oct 16, 2025 | The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it… | |
| CVE-2025-11126 | Cri | 0.64 | 9.8 | 0.01 | Sep 29, 2025 | A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The attack may be performed from remote. The exploit has been released to the public… | ||
| CVE-2025-57602 | Cri | 0.64 | 9.8 | 0.00 | Sep 22, 2025 | Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT… | ||
| CVE-2025-57601 | Cri | 0.64 | 9.8 | 0.00 | Sep 22, 2025 | AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends this same static… | ||
| CVE-2025-8570 | Cri | 0.64 | 9.8 | 0.01 | Sep 11, 2025 | The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. This makes it possible for unauthenticated attackers to craft… | ||
| CVE-2025-8857 | Cri | 0.64 | 9.8 | 0.00 | Aug 29, 2025 | Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code. | ||
| CVE-2025-43982 | Cri | 0.64 | 9.8 | 0.00 | Aug 13, 2025 | Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI. | ||
| CVE-2025-30125 | Cri | 0.64 | 9.8 | 0.00 | Jul 28, 2025 | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an insecure-by-default condition. For users who change their passwords, it's limited to 8 characters. These short passwords… | ||
| CVE-2025-52376 | Cri | 0.64 | 9.8 | 0.09 | Jul 15, 2025 | An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server… | ||
| CVE-2025-7401 | Cri | 0.64 | 9.8 | 0.01 | Jul 11, 2025 | The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This… | ||
| CVE-2025-37103 | Cri | 0.64 | 9.8 | 0.01 | Jul 8, 2025 | Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system. | ||
| CVE-2025-46352 | Cri | 0.64 | 9.8 | 0.01 | May 30, 2025 | The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such … | ||
| CVE-2025-46274 | — | Cri | 0.64 | 9.8 | 0.00 | Apr 24, 2025 | UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database. | |
| CVE-2025-46273 | Cri | 0.64 | 9.8 | 0.00 | Apr 24, 2025 | UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices. | ||
| CVE-2025-30137 | Cri | 0.64 | 9.8 | 0.00 | Mar 18, 2025 | An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardcoded credentials that provide unauthorized access to the dashcam's API endpoints on ports 9091 and 9092. Once the GNET… | ||
| CVE-2025-30123 | Cri | 0.64 | 9.8 | 0.00 | Mar 18, 2025 | An issue was discovered on ROADCAM X3 devices. The mobile app APK (Viidure) contains hardcoded FTP credentials for the FTPX user account, enabling attackers to gain unauthorized access and extract sensitive recorded footage from the device. | ||
| CVE-2025-30122 | Cri | 0.64 | 9.8 | 0.00 | Mar 18, 2025 | An issue was discovered on ROADCAM X3 devices. It has a uniform default credential set that cannot be modified by users, making it easy for attackers to gain unauthorized access to multiple devices. | ||
| CVE-2025-1393 | — | Cri | 0.64 | 9.8 | 0.01 | Mar 5, 2025 | An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product. |
- risk 0.64cvss 9.8epss 0.01
Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system.
- risk 0.64cvss —epss 0.01
An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated…
- risk 0.64cvss 9.8epss 0.01
The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it…
- risk 0.64cvss 9.8epss 0.01
A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The attack may be performed from remote. The exploit has been released to the public…
- risk 0.64cvss 9.8epss 0.00
Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT…
- risk 0.64cvss 9.8epss 0.00
AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends this same static…
- risk 0.64cvss 9.8epss 0.01
The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. This makes it possible for unauthenticated attackers to craft…
- risk 0.64cvss 9.8epss 0.00
Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code.
- risk 0.64cvss 9.8epss 0.00
Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI.
- risk 0.64cvss 9.8epss 0.00
An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an insecure-by-default condition. For users who change their passwords, it's limited to 8 characters. These short passwords…
- risk 0.64cvss 9.8epss 0.09
An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server…
- risk 0.64cvss 9.8epss 0.01
The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This…
- risk 0.64cvss 9.8epss 0.01
Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system.
- risk 0.64cvss 9.8epss 0.01
The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such …
- risk 0.64cvss 9.8epss 0.00
UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database.
- risk 0.64cvss 9.8epss 0.00
UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.
- risk 0.64cvss 9.8epss 0.00
An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardcoded credentials that provide unauthorized access to the dashcam's API endpoints on ports 9091 and 9092. Once the GNET…
- risk 0.64cvss 9.8epss 0.00
An issue was discovered on ROADCAM X3 devices. The mobile app APK (Viidure) contains hardcoded FTP credentials for the FTPX user account, enabling attackers to gain unauthorized access and extract sensitive recorded footage from the device.
- risk 0.64cvss 9.8epss 0.00
An issue was discovered on ROADCAM X3 devices. It has a uniform default credential set that cannot be modified by users, making it easy for attackers to gain unauthorized access to multiple devices.
- risk 0.64cvss 9.8epss 0.01
An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product.