VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 9 of 28
  • CVE-2017-14421CriSep 13, 2017
    risk 0.64cvss 9.8epss 0.02

    D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have a hardcoded password of wrgac25_dlink.2013gui_dir850l for the Alphanetworks account upon device reset, which allows remote attackers to obtain root access via a TELNET session.

  • CVE-2017-11351CriSep 13, 2017
    risk 0.64cvss 9.8epss 0.01

    Axesstel MU553S MU55XS-V1.14 devices have a default password of admin for the admin account.

  • CVE-2014-8426CriAug 28, 2017
    risk 0.64cvss 9.8epss 0.02

    Hard coded weak credentials in Barracuda Load Balancer 5.0.0.015.

  • CVE-2017-9852CriAug 5, 2017
    risk 0.64cvss 9.8epss 0.02

    An Incorrect Password Management issue was discovered in SMA Solar Technology products. Default passwords exist that are rarely changed. User passwords will almost always be default. Installer passwords are expected to be default or similar across installations installed by the…

  • CVE-2017-10818CriAug 4, 2017
    risk 0.64cvss 9.8epss 0.02

    MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service.

  • CVE-2017-11380CriAug 1, 2017
    risk 0.64cvss 9.8epss 0.01

    Backup archives were found to be encrypted with a static password across different installations, which suggest the same password may be used in all virtual appliance instances of Trend Micro Deep Discovery Director 1.1.

  • CVE-2017-11129CriAug 1, 2017
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android. The keystore is locked with a hard-coded password. Therefore, everyone with access to the keystore can read the content out, for example the private key of the user.

  • CVE-2017-11743CriJul 31, 2017
    risk 0.64cvss 9.8epss 0.02

    MEDHOST Connex contains a hard-coded Mirth Connect admin credential that is used for customer Mirth Connect management access. An attacker with knowledge of the hard-coded credential and the ability to communicate directly with the Mirth Connect management console may be able to…

  • CVE-2017-11614CriJul 25, 2017
    risk 0.64cvss 9.8epss 0.01

    MEDHOST Connex contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the database may be able to obtain or modify sensitive patient and financial…

  • CVE-2017-7336CriJul 22, 2017
    risk 0.64cvss 9.8epss 0.02

    A hard-coded account named 'upgrade' in Fortinet FortiWLM 8.3.0 and lower versions allows a remote attacker to log-in and execute commands with 'upgrade' account privileges.

  • CVE-2017-3222CriJul 22, 2017
    risk 0.64cvss 9.8epss 0.07

    Hard-coded credentials in AmosConnect 8 allow remote attackers to gain full administrative privileges, including the ability to execute commands on the Microsoft Windows host platform with SYSTEM privileges by abusing AmosConnect Task Manager.

  • CVE-2017-9932CriJul 21, 2017
    risk 0.64cvss 9.8epss 0.01

    Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb has a default password of admin for the admin account.

  • CVE-2017-11436CriJul 19, 2017
    risk 0.64cvss 9.8epss 0.02

    D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x1 BACKDOOR value, which might allow remote attackers to obtain access via a TELNET connection.

  • CVE-2017-4976CriJul 9, 2017
    risk 0.64cvss 9.8epss 0.02

    EMC ESRS Policy Manager prior to 6.8 contains an undocumented account (OpenDS admin) with a default password. A remote attacker with the knowledge of the default password may login to the system and gain administrator privileges to the local LDAP directory server.

  • CVE-2017-2236CriJul 7, 2017
    risk 0.64cvss 9.8epss 0.01

    Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier, Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier uses hard-coded credentials, which may allow attackers to perform operations on device with administrative privileges.

  • CVE-2017-6022CriJun 30, 2017
    risk 0.64cvss 9.8epss 0.02

    A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged…

  • CVE-2016-9358CriJun 30, 2017
    risk 0.64cvss 9.8epss 0.02

    A Hard-Coded Passwords issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check Bin Grader, FlowlineQC T376, IPM3 Dual Cam v132, IPM3 Dual Cam v139, IPM3 Single…

  • CVE-2016-8731CriJun 21, 2017
    risk 0.64cvss 9.8epss 0.03

    Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device.

  • CVE-2016-0726CriJun 6, 2017
    risk 0.64cvss 9.8epss 0.02

    The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.

  • CVE-2017-6131CriMay 23, 2017
    risk 0.64cvss 9.8epss 0.01

    In some circumstances, an F5 BIG-IP version 12.0.0 to 12.1.2 and 13.0.0 Azure cloud instance may contain a default administrative password which could be used to remotely log into the BIG-IP system. The impacted administrative account is the Azure instance administrative user…