CWE-798— Use of Hard-coded Credentials
1,579 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-798page 1 of 32
- CVE-2000-1139NONECVSS 0.0EG 0.02001-01-09
The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.
- CVE-2005-3716HIGHCVSS 7.5EG 7.52005-11-21
The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information.
- CVE-2005-3803HIGHCVSS 7.5EG 7.52005-11-24
Cisco IP Phone (VoIP) 7920 1.0(8) contains certain hard-coded ("fixed") public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information.
- CVE-2006-7074NONECVSS 0.0EG 0.02007-03-02
admin.php in SmartSiteCMS 1.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the userName cookie.
- CVE-2006-7142HIGHCVSS 7.8EG 7.82007-03-07
The centralized management feature for Utimaco Safeguard stores hard-coded cryptographic keys in executable programs for encrypted configuration files, which allows attackers to recover the keys from the configuration files and decrypt the…
- CVE-2007-1063NONECVSS 0.0EG 0.02007-02-22
The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier, uses a hard-coded username and password, which allows remote attackers to access the device.
- CVE-2008-2369CRITICALCVSS 9.1EG 9.12008-08-14
manzier.pxt in Red Hat Network Satellite Server before 5.1.1 has a hard-coded authentication key, which allows remote attackers to connect to the server and obtain sensitive information about user accounts and entitlements.
- CVE-2009-5154CRITICALCVSS 9.8EG 9.82019-02-09
An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. There is a default password of meinsm for the admin account.
- CVE-2010-2073HIGHCVSS 7.5EG 7.52010-06-16
auth_db_config.py in Pyftpd 0.8.4 contains hard-coded usernames and passwords for the (1) test, (2) user, and (3) roxon accounts, which allows remote attackers to read arbitrary files from the FTP server.
- CVE-2010-2772HIGHCVSS 7.8EG 7.82010-07-22
Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which allows local users to access a back-end database and gain privileges, as demonstrated in the wild in July 2010 by the Stuxnet worm, a different vulnerability th…
- CVE-2012-2166CRITICALCVSS 9.8EG 9.82018-02-08
IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remote attackers to gain user access via unk…
- CVE-2012-4381HIGHCVSS 8.1EG 8.12020-02-08
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication p…
- CVE-2012-4712NONECVSS 0.0EG 0.02013-02-15
Moxa EDR-G903 series routers with firmware before 2.11 have a hardcoded account, which allows remote attackers to obtain unspecified device access via unknown vectors.
- CVE-2012-5686CRITICALCVSS 9.8EG 9.82020-02-04
ZPanel 10.0.1 has insufficient entropy for its password reset process.
- CVE-2012-6428NONECVSS 0.0EG 0.02012-12-23
The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthoriz…
- CVE-2012-6611CRITICALCVSS 9.8EG 9.82020-02-10
An issue was discovered in Polycom Web Management Interface G3/HDX 8000 HD with Durango 2.6.0 4740 software and embedded Polycom Linux Development Platform 2.14.g3. It has a blank administrative password by default, and can be successfully…
- CVE-2013-10002MEDIUMCVSS 6.5EG 9.12022-05-24
A vulnerability was found in Telecommunication Software SAMwin Contact Center Suite 5.1. It has been rated as critical. Affected by this issue is the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the credential handler. Au…
- CVE-2013-1352HIGHCVSS 7.5EG 7.52020-01-30
Verax NMS prior to 2.1.0 uses an encryption key that is hardcoded in a JAR archive.
- CVE-2013-1603MEDIUMCVSS 5.3EG 5.32020-01-28
An Authentication vulnerability exists in D-LINK WCS-1100 1.02, TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-7510 1.00, DCS-7410 1.00, DCS-6410 1.00, DCS-5635 1.01, DCS-5605 1.01, DCS-5230L 1.02, DCS-5230 1.02, DCS-3430 1.02, …
- CVE-2013-2567HIGHCVSS 7.5EG 7.52020-01-29
An Authentication Bypass vulnerability exists in the web interface in Zavio IP Cameras through 1.6.03 due to a hardcoded admin account found in boa.conf, which lets a remote malicious user obtain sensitive information.
- CVE-2013-2572HIGHCVSS 7.5EG 7.52020-01-29
A Security Bypass vulnerability exists in TP-LINK IP Cameras TL-SC 3130, TL-SC 3130G, 3171G, 4171G, and 3130 1.6.18P12 due to default hard-coded credentials for the administrative Web interface, which could let a malicious user obtain unau…
- CVE-2013-3542CRITICALCVSS 10.0EG 10.02019-12-11
Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware 1.0.4.11, have a hardcoded account "!#/" with the same password, wh…
- CVE-2013-3619HIGHCVSS 8.1EG 8.12020-01-02
Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before SMT_X9_317 and firmware for Supermicro X8 generation motherboards before SMT X8 312 contain harcoded private encryption keys fo…
- CVE-2013-6236CRITICALCVSS 9.8EG 9.82020-02-12
IZON IP 2.0.2: hard-coded password vulnerability
- CVE-2013-6276CRITICALCVSS 9.8EG 9.82021-08-09
QNAP F_VioCard 2312 and F_VioGate 2308 have hardcoded entries in authorized_keys files. NOTE: 1. All active models are not affected. The last affected model was EOL since 2010. 2. The legacy authorization mechanism is no longer adopted in …
- CVE-2013-6277HIGHCVSS 7.5EG 7.52020-02-13
QNAP VioCard 300 has hardcoded RSA private keys.
- CVE-2013-6362CRITICALCVSS 9.8EG 9.82020-02-13
Xerox ColorCube and WorkCenter devices in 2013 had hardcoded FTP and shell user accounts.
- CVE-2014-0175CRITICALCVSS 9.8EG 9.82019-12-13
mcollective has a default password set at install
- CVE-2014-125030MEDIUMCVSS 6.3EG 9.82023-01-01
A vulnerability, which was classified as critical, has been found in taoeffect Empress. Affected by this issue is some unknown functionality. The manipulation leads to use of hard-coded password. The patch is identified as 557e177d8a309d6f…
- CVE-2014-125115CRITICALCVSS 10.0EG 0.02025-07-25
An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administra…
- CVE-2014-125121CRITICALCVSS 10.0EG 0.02025-07-31
Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a star…
- CVE-2014-2349NONECVSS 0.0EG 0.02014-05-22
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet pro…
- CVE-2014-2350NONECVSS 0.0EG 0.02014-05-22
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet pro…
- CVE-2014-3205CRITICALCVSS 9.8EG 9.82018-02-23
backupmgt/pre_connect_check.php in Seagate BlackArmor NAS contains a hard-coded password of '!~@##$$%FREDESWWSED' for a backdoor user.
- CVE-2014-3413CRITICALCVSS 9.8EG 9.82018-04-05
The MySQL server in Juniper Networks Junos Space before 13.3R1.8 has an unspecified account with a hardcoded password, which allows remote attackers to obtain sensitive information and consequently obtain administrative control by leveragi…
- CVE-2014-5431MEDIUMCVSS 6.8EG 6.82019-03-26
Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 contains a hard-coded password, which provides access to basic biomedical information, limited device settings, and network c…
- CVE-2014-5434CRITICALCVSS 9.8EG 9.82019-03-26
Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 has a default account with hard-coded credentials used with the FTP protocol. Baxter asserts no files can be transferred to o…
- CVE-2014-6617CRITICALCVSS 9.8EG 9.82018-03-09
Softing FG-100 PB PROFIBUS firmware version FG-x00-PB_V2.02.0.00 contains a hardcoded password for the root account, which allows remote attackers to obtain administrative access via a TELNET session.
- CVE-2014-8579CRITICALCVSS 9.8EG 9.82018-01-05
TRENDnet TEW-823DRU devices with firmware before 1.00b36 have a hardcoded password of kcodeskcodes for the root account, which makes it easier for remote attackers to obtain access via an FTP session.
- CVE-2014-9198NONECVSS 0.0EG 0.02015-01-27
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.
- CVE-2014-9614CRITICALCVSS 9.8EG 9.82020-02-19
The Web Panel in Netsweeper before 4.0.5 has a default password of branding for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/.
- CVE-2015-3953CRITICALCVSS 9.8EG 9.82019-03-25
Hard-coded accounts may be used to access Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close …
- CVE-2015-7276MEDIUMCVSS 5.9EG 5.92019-11-06
Technicolor C2000T and C2100T uses hard-coded cryptographic keys.
- CVE-2015-9254CRITICALCVSS 9.8EG 9.82018-02-20
Datto ALTO and SIRIS devices have a default VNC password.
- CVE-2016-0235HIGHCVSS 8.2EG 8.22018-03-12
IBM Security Guardium Database Activity Monitor 10 allows local users to have unspecified impact by leveraging administrator access to a hardcoded password, related to use on GRUB systems. IBM X-Force ID: 110326.
- CVE-2016-10928HIGHCVSS 7.5EG 7.52019-08-22
The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcoded @@@nopass@@@ password for just-in-time provisioned users.
- CVE-2016-2357CRITICALCVSS 9.8EG 9.82019-10-25
Milesight IP security cameras through 2016-11-14 have a hardcoded SSL private key under the /etc/config directory.
- CVE-2016-2358CRITICALCVSS 9.8EG 9.82019-10-25
Milesight IP security cameras through 2016-11-14 have a default set of 10 privileged accounts with hardcoded credentials. They are accessible if the customer has not configured 10 actual user accounts.
- CVE-2016-2360CRITICALCVSS 9.8EG 9.82019-10-25
Milesight IP security cameras through 2016-11-14 have a default root password in /etc/shadow that is the same across different customers' installations.
- CVE-2016-3953CRITICALCVSS 9.8EG 9.82018-02-06
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.
Map vulnerabilities like CWE-798 to your infrastructure
EchelonGraph correlates every CVE — across CWE-798 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →