VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 4 of 28
  • CVE-2021-47796CriJan 16, 2026
    risk 0.64cvss 9.8epss 0.01

    Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system.

  • CVE-2025-6950CriOct 17, 2025
    risk 0.64cvss epss 0.01

    An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated…

  • CVE-2025-10850CriOct 16, 2025
    risk 0.64cvss 9.8epss 0.01

    The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it…

  • CVE-2025-11126CriSep 29, 2025
    risk 0.64cvss 9.8epss 0.01

    A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The attack may be performed from remote. The exploit has been released to the public…

  • CVE-2025-57602CriSep 22, 2025
    risk 0.64cvss 9.8epss 0.00

    Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT…

  • CVE-2025-57601CriSep 22, 2025
    risk 0.64cvss 9.8epss 0.00

    AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends this same static…

  • CVE-2025-8570CriSep 11, 2025
    risk 0.64cvss 9.8epss 0.01

    The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. This makes it possible for unauthenticated attackers to craft…

  • CVE-2025-8857CriAug 29, 2025
    risk 0.64cvss 9.8epss 0.00

    Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code.

  • CVE-2025-43982CriAug 13, 2025
    risk 0.64cvss 9.8epss 0.00

    Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI.

  • CVE-2025-30125CriJul 28, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an insecure-by-default condition. For users who change their passwords, it's limited to 8 characters. These short passwords…

  • CVE-2025-52376CriJul 15, 2025
    risk 0.64cvss 9.8epss 0.09

    An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server…

  • CVE-2025-7401CriJul 11, 2025
    risk 0.64cvss 9.8epss 0.01

    The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This…

  • CVE-2025-37103CriJul 8, 2025
    risk 0.64cvss 9.8epss 0.01

    Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system.

  • CVE-2025-46352CriMay 30, 2025
    risk 0.64cvss 9.8epss 0.01

    The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such …

  • CVE-2025-46274CriApr 24, 2025
    risk 0.64cvss 9.8epss 0.00

    UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database.

  • CVE-2025-46273CriApr 24, 2025
    risk 0.64cvss 9.8epss 0.00

    UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.

  • CVE-2025-30137CriMar 18, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardcoded credentials that provide unauthorized access to the dashcam's API endpoints on ports 9091 and 9092. Once the GNET…

  • CVE-2025-30123CriMar 18, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on ROADCAM X3 devices. The mobile app APK (Viidure) contains hardcoded FTP credentials for the FTPX user account, enabling attackers to gain unauthorized access and extract sensitive recorded footage from the device.

  • CVE-2025-30122CriMar 18, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on ROADCAM X3 devices. It has a uniform default credential set that cannot be modified by users, making it easy for attackers to gain unauthorized access to multiple devices.

  • CVE-2025-1393CriMar 5, 2025
    risk 0.64cvss 9.8epss 0.01

    An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product.