VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 7 of 28
  • CVE-2018-11482CriMay 30, 2018
    risk 0.64cvss 9.8epss 0.01

    /usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded zMiVw8Kw0oxKXL0 password.

  • CVE-2018-9112CriMay 10, 2018
    risk 0.64cvss 9.8epss 0.01

    A low privileged admin account with a weak default password of admin exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One…

  • CVE-2017-17540CriMay 8, 2018
    risk 0.64cvss 9.8epss 0.02

    The presence of a hardcoded account in Fortinet FortiWLC 8.3.3 allows attackers to gain unauthorized read/write access via a remote shell.

  • CVE-2017-17539CriMay 8, 2018
    risk 0.64cvss 9.8epss 0.02

    The presence of a hardcoded account in Fortinet FortiWLC 7.0.11 and earlier allows attackers to gain unauthorized read/write access via a remote shell.

  • CVE-2018-10723CriMay 5, 2018
    risk 0.64cvss 9.8epss 0.01

    Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql.

  • CVE-2018-6401CriMay 2, 2018
    risk 0.64cvss 9.8epss 0.01

    Meross MSS110 devices before 1.1.24 contain a TELNET listener providing access for an undocumented admin account with a blank password.

  • CVE-2018-7241CriApr 18, 2018
    risk 0.64cvss 9.8epss 0.04

    Hard coded accounts exist in Schneider Electric's Modicon Premium, Modicon Quantum, Modicon M340, and BMXNOR0200 controllers in all versions of the communication modules.

  • CVE-2014-3413CriApr 5, 2018
    risk 0.64cvss 9.8epss 0.02

    The MySQL server in Juniper Networks Junos Space before 13.3R1.8 has an unspecified account with a hardcoded password, which allows remote attackers to obtain sensitive information and consequently obtain administrative control by leveraging database access.

  • CVE-2016-8717CriApr 2, 2018
    risk 0.64cvss 9.8epss 0.02

    An exploitable Use of Hard-coded Credentials vulnerability exists in the Moxa AWK-3131A Wireless Access Point running firmware 1.1. The device operating system contains an undocumented, privileged (root) account with hard-coded credentials, giving attackers full control of…

  • CVE-2018-0150CriMar 28, 2018
    risk 0.64cvss 9.8epss 0.05

    A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot, aka a Static Credential Vulnerability. The…

  • CVE-2018-5768CriMar 20, 2018
    risk 0.64cvss 9.8epss 0.04

    A remote, unauthenticated attacker can gain remote code execution on the the Tenda AC15 router with a specially crafted password parameter for the COOKIE header.

  • CVE-2017-14008CriMar 20, 2018
    risk 0.64cvss 9.8epss 0.03

    GE Centricity PACS RA1000, diagnostic image analysis, all current versions are affected these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices.

  • CVE-2017-14006CriMar 20, 2018
    risk 0.64cvss 9.8epss 0.02

    GE Xeleris versions 1.0,1.1,2.1,3.0,3.1, medical imaging systems, all current versions are affected, these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the…

  • CVE-2017-14004CriMar 20, 2018
    risk 0.64cvss 9.8epss 0.02

    GE GEMNet License server (EchoServer) all current versions are affected these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices.

  • CVE-2017-14002CriMar 20, 2018
    risk 0.64cvss 9.8epss 0.05

    GE Infinia/Infinia with Hawkeye 4 medical imaging systems all current versions are affected these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected…

  • CVE-2017-8013CriMar 16, 2018
    risk 0.64cvss 9.8epss 0.02

    EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with…

  • CVE-2018-7229CriMar 9, 2018
    risk 0.64cvss 9.8epss 0.02

    A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow an unauthenticated, remote attacker to bypass authentication and gain administrator privileges because the use of hardcoded credentials.

  • CVE-2014-6617CriMar 9, 2018
    risk 0.64cvss 9.8epss 0.05

    Softing FG-100 PB PROFIBUS firmware version FG-x00-PB_V2.02.0.00 contains a hardcoded password for the root account, which allows remote attackers to obtain administrative access via a TELNET session.

  • CVE-2018-7047CriMar 1, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. The file system may be read and written to via JMX using the default JMX credentials (remote code execution may be possible as well).

  • CVE-2017-11634CriFeb 26, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered on Wireless IP Camera 360 devices. Remote attackers can discover a weakly encoded admin password by connecting to TCP port 9527 and reading the password field of the debugging information, e.g., nTBCS19C corresponds to a password of 123456.