CWE-798
Use of Hard-coded Credentials
Description
The product contains hard-coded credentials, such as a password or cryptographic key.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-191 · CAPEC-70
CVEs mapped to this weakness (556)
page 5 of 28| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-57040 | Cri | 0.64 | 9.8 | 0.01 | Feb 26, 2025 | TP-Link TL-WR845N devices with firmware TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 was discovered to contain a hardcoded password for the root account which can be obtained by analyzing downloaded firmware or via a brute force attack through physical access to the… | ||
| CVE-2025-26410 | Cri | 0.64 | 9.8 | 0.01 | Feb 11, 2025 | The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the… | ||
| CVE-2024-48126 | Cri | 0.64 | 9.8 | 0.00 | Jan 15, 2025 | HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access. | ||
| CVE-2024-4996 | Cri | 0.64 | 9.8 | 0.01 | Dec 18, 2024 | Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop… | ||
| CVE-2024-54750 | Cri | 0.64 | 9.8 | 0.00 | Dec 6, 2024 | Ubiquiti U6-LR 6.6.65 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: In Ubiquiti's view there is no vulnerability as the Hardcoded Password should be after setup not before. | ||
| CVE-2024-48539 | Cri | 0.64 | 9.8 | 0.00 | Oct 24, 2024 | Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism. | ||
| CVE-2024-6656 | Cri | 0.64 | 9.8 | 0.00 | Sep 13, 2024 | Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable. This issue affects Cockpit Software: before v2.13. | ||
| CVE-2024-28747 | — | Cri | 0.64 | 9.8 | 0.01 | Jul 9, 2024 | An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges. | |
| CVE-2024-39208 | Cri | 0.64 | 9.8 | 0.01 | Jun 27, 2024 | luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials. | ||
| CVE-2024-0949 | Cri | 0.64 | 9.8 | 0.01 | Jun 27, 2024 | Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68. | ||
| CVE-2024-36480 | Cri | 0.64 | 9.8 | 0.00 | Jun 19, 2024 | Use of hard-coded credentials issue exists in Ricoh Streamline NX PC Client ver.3.7.2 and earlier. If this vulnerability is exploited, an attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, unintended operations may be performed on the… | ||
| CVE-2024-5514 | Cri | 0.64 | 9.8 | 0.01 | May 30, 2024 | MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend… | ||
| CVE-2024-2161 | Cri | 0.64 | 9.8 | 0.01 | Mar 21, 2024 | Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 . | ||
| CVE-2020-6990 | Cri | 0.64 | 9.8 | 0.04 | Mar 16, 2020 | Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the… | ||
| CVE-2018-15427 | Cri | 0.64 | 9.8 | 0.07 | Oct 5, 2018 | A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has… | ||
| CVE-2018-15389 | Cri | 0.64 | 9.8 | 0.02 | Oct 5, 2018 | A vulnerability in the install function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the administrative web interface using a default hard-coded username and password that are used during install. The vulnerability is… | ||
| CVE-2018-8856 | Cri | 0.64 | 9.8 | 0.01 | Sep 26, 2018 | Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software contains hard-coded cryptographic key, which it uses for encryption of internal data. | ||
| CVE-2018-16957 | Cri | 0.64 | 9.8 | 0.03 | Sep 18, 2018 | The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password and cannot be customised by customers. An adversary able to access this service… | ||
| CVE-2017-9821 | Cri | 0.64 | 9.8 | 0.01 | Aug 24, 2018 | The National Payments Corporation of India BHIM application 1.3 for Android relies on three hardcoded strings (AK-NPCIMB, IM-NPCIBM, and VK-NPCIBM) for SMS validation, which makes it easier for attackers to bypass authentication. | ||
| CVE-2017-12577 | Cri | 0.64 | 9.8 | 0.01 | Aug 24, 2018 | An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password ("admin:password") is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission. |
- risk 0.64cvss 9.8epss 0.01
TP-Link TL-WR845N devices with firmware TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 was discovered to contain a hardcoded password for the root account which can be obtained by analyzing downloaded firmware or via a brute force attack through physical access to the…
- risk 0.64cvss 9.8epss 0.01
The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the…
- risk 0.64cvss 9.8epss 0.00
HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access.
- risk 0.64cvss 9.8epss 0.01
Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations. This issue affects Wapro ERP Desktop…
- risk 0.64cvss 9.8epss 0.00
Ubiquiti U6-LR 6.6.65 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: In Ubiquiti's view there is no vulnerability as the Hardcoded Password should be after setup not before.
- risk 0.64cvss 9.8epss 0.00
Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism.
- risk 0.64cvss 9.8epss 0.00
Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable. This issue affects Cockpit Software: before v2.13.
- risk 0.64cvss 9.8epss 0.01
An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges.
- risk 0.64cvss 9.8epss 0.01
luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials.
- risk 0.64cvss 9.8epss 0.01
Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68.
- risk 0.64cvss 9.8epss 0.00
Use of hard-coded credentials issue exists in Ricoh Streamline NX PC Client ver.3.7.2 and earlier. If this vulnerability is exploited, an attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, unintended operations may be performed on the…
- risk 0.64cvss 9.8epss 0.01
MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend…
- risk 0.64cvss 9.8epss 0.01
Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
- risk 0.64cvss 9.8epss 0.04
Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the…
- risk 0.64cvss 9.8epss 0.07
A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has…
- risk 0.64cvss 9.8epss 0.02
A vulnerability in the install function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the administrative web interface using a default hard-coded username and password that are used during install. The vulnerability is…
- risk 0.64cvss 9.8epss 0.01
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software contains hard-coded cryptographic key, which it uses for encryption of internal data.
- risk 0.64cvss 9.8epss 0.03
The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password and cannot be customised by customers. An adversary able to access this service…
- risk 0.64cvss 9.8epss 0.01
The National Payments Corporation of India BHIM application 1.3 for Android relies on three hardcoded strings (AK-NPCIMB, IM-NPCIBM, and VK-NPCIBM) for SMS validation, which makes it easier for attackers to bypass authentication.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password ("admin:password") is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission.