CWE-259— Use of Hard-coded Password

D-Link DAP-1360 Hardcoded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1360 routers. Authentication is not required t…

A vulnerability classified as critical was found in OTCMS up to 6.62. This vulnerability affects unknown code. The manipulation of the argument username/password with the input admin leads to use of hard-coded password. The exploit has bee…

Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password.

Hard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the 'user' user.

SonicOS Use of Hard-coded Password vulnerability in the 'dynHandleBuyToolbar' demo function.

A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command execution.

DYMO LabelWriter Print Server through 2.366 contains a backdoor hard-coded password that could allow an attacker to take control.

IBM Storage Fusion HCI 2.1.0 through 2.6.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal…

D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DCS-8300LHV2 IP cameras. Authentication is not r…

A vulnerability classified as critical was found in Viessmann Vitogate 300 up to 2.1.3.0. This vulnerability affects the function isValidUser of the file /cgi-bin/vitogate.cgi of the component Web Management Interface. The manipulation lea…

A vulnerability was found in Intelligent Apps Freenow App 12.10.0 on Android. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ch/qos/logback/core/net/ssl/SSL.java of the component Keystore…

A vulnerability has been found in E-Lins H685, H685f, H700, H720, H750, H820, H820Q, H820Q0 and H900 up to 3.2 and classified as critical. This vulnerability affects unknown code of the component OEM Backend. The manipulation leads to hard…

Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations. This issue affects Eurosoft Przychodnia soft…

The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.22.6. This is due to the use of hardcoded credentials to authentic…

A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could allow an unauthenticated, local attacker to access an affected system using static credentials. This vulnerabil…

The Chirp Access app contains a hard-coded password, BEACON_PASSWORD. An attacker within Bluetooth range could change configuration settings within the Bluetooth beacon, effectively disabling the application's ability to notify users when …

ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x contain hard-coded credentials that could allow an attacker to view Deploy configuration information and modify the account credentials.

LenelS2 NetBox access control and event monitoring system was discovered to contain Hardcoded Credentials in versions prior to and including 5.6.1 which allows an attacker to bypass authentication requirements.

FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password.

Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

Toshiba printers contain hardcoded credentials. As for the affected products/models/versions, see the reference URL.

Incorrect Access Control vulnerability in ZLMediaKit versions 1.0 through 8.0, allows remote attackers to escalate privileges and obtain sensitive information. The application system enables the http API interface by default and uses the s…

Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-259: Use of Hard-coded Password may allow disclosing Sensitive Information Embedded inside Device's Firmware

Use of Hard-coded Password in NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2,…

A vulnerability exists in the message queueing mechanism that if exploited can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary cod…

In Unify CP IP Phone firmware 1.10.4.3, Weak Credentials are used (a hardcoded root password).

Use of hard-coded password in the GMS ECM endpoint leading to authentication bypass vulnerability. This issue affects GMS: 9.3.4 and earlier versions.

Identical Hardcoded Root Password for All Devices in GNCC's GC2 Indoor Security Camera 1080P allows an attacker with physical access to retrieve the root password for all similar devices

TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a hardcoded password for root at /etc/shadow.sample.

The LoMag WareHouse Management application version 1.0.20.120 and older were to utilize hard-coded passwords by default for forms and SQL connections.

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains hard coded password which is used for the privileged system user `root` and for the boot loader `GRUB` by default . An attacker who …

CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.

An issue was discovered in linqi before 1.4.0.1 on Windows. There is a hardcoded password salt.

CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.

TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root.

Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged ac…

TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root.

ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key.

Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all drEryk Gabinet installations.This issue affects drEryk Gabinet software versions…

Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations. This issue affects Estomed Sp. z o.o. Simpl…

TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root.

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform unauthorized access using known operating system credentials due to hardcoded SQL user cr…

H3C Magic R230 V100R002 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the SSH service by default and have a hidden, undocumented, hard-coded support account whose password is based on the devices MAC address. All of the devices internet interfaces …

Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 and 10.5.6.x, contain(s) an Use of Hard-coded Password vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading …

D-Link DIR-300 REVA FIRMWARE v1.06B05_WW contains hardcoded credentials in the Telnet service.

H3C GR1100-P v100R009 was discovered to use a hardcoded password in /etc/shadow, which allows attackers to log in as root.

The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed.

VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain hardcoded credentials for several different privileged accounts, including root.

runofast Indoor Security Camera for Baby Monitor has a default password of password for the root account. This allows access to the /stream1 URI via the rtsp:// protocol to receive the video and audio stream.