CWE-798— Use of Hard-coded Credentials
1,580 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-798page 11 of 32
- CVE-2020-36915HIGHCVSS 7.5EG 7.52026-01-06
Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level …
- CVE-2020-37092HIGHCVSS 7.5EG 7.52026-02-03
Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password …
- CVE-2020-37135HIGHCVSS 7.5EG 7.52026-02-07
AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized a…
- CVE-2020-37220HIGHCVSS 7.5EG 7.52026-05-13
Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can query the /api/system/deviceinfo endpoint wi…
- CVE-2020-3928MEDIUMCVSS 6.2EG 6.22020-06-12
GeoVision Door Access Control device family is hardcoded with a root password, which adopting an identical password in all devices.
- CVE-2020-4001CRITICALCVSS 9.8EG 9.82020-11-24
The SD-WAN Orchestrator 3.3.2, 3.4.x, and 4.0.x has default passwords allowing for a Pass-the-Hash Attack. SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack.
- CVE-2020-4150CRITICALCVSS 9.8EG 9.82022-07-11
IBM SiteProtector Appliance 3.1.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IB…
- CVE-2020-4157HIGHCVSS 7.5EG 7.52022-07-12
IBM QRadar Network Security 5.4.0 and 5.5.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of interna…
- CVE-2020-4177CRITICALCVSS 9.8EG 9.82020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-For…
- CVE-2020-4190MEDIUMCVSS 6.7EG 6.72020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal…
- CVE-2020-4208CRITICALCVSS 9.8EG 9.82020-03-31
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of int…
- CVE-2020-4216CRITICALCVSS 9.8EG 9.82020-06-15
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of int…
- CVE-2020-4269HIGHCVSS 7.5EG 7.52020-04-15
IBM QRadar 7.3.0 to 7.3.3 Patch 2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IB…
- CVE-2020-4283HIGHCVSS 8.6EG 8.62020-03-02
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, and 1.0.4 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external comp…
- CVE-2020-4385CRITICALCVSS 9.8EG 9.82020-07-22
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal d…
- CVE-2020-4429CRITICALCVSS 9.8EG 9.82020-05-07
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with ro…
- CVE-2020-4459CRITICALCVSS 9.8EG 9.82020-08-04
IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM …
- CVE-2020-4622HIGHCVSS 7.5EG 7.52020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. I…
- CVE-2020-4690CRITICALCVSS 9.8EG 9.82021-09-23
IBM Security Guardium 11.3 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-For…
- CVE-2020-4854CRITICALCVSS 9.8EG 9.82020-11-23
IBM Spectrum Protect Plus 10.1.0 thorugh 10.1.6 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of int…
- CVE-2020-4932HIGHCVSS 7.8EG 7.82021-05-05
IBM QRadar SIEM 7.3 and 7.4 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Fo…
- CVE-2020-4983HIGHCVSS 7.8EG 7.82021-01-20
IBM Spectrum LSF 10.1 and IBM Spectrum LSF Suite 10.2 could allow a user on the local network who has privileges to submit LSF jobs to execute arbitrary commands. IBM X-Force ID: 192586.
- CVE-2020-5222MEDIUMCVSS 6.8EG 6.82020-01-30
Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to …
- CVE-2020-5248HIGHCVSS 7.2EG 7.22020-05-12
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key …
- CVE-2020-5349CRITICALCVSS 9.8EG 9.82021-07-19
Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability. A remote unauthenticated malicious user could exploit this vulnerability and gain administrative privileg…
- CVE-2020-5351HIGHCVSS 7.5EG 7.52021-07-28
Dell EMC Data Protection Advisor versions 6.4, 6.5 and 18.1 contain an undocumented account with limited privileges that is protected with a hard-coded password. A remote unauthenticated malicious user with the knowledge of the hard-coded …
- CVE-2020-5374HIGHCVSS 8.8EG 8.82020-07-14
Dell EMC OpenManage Integration for Microsoft System Center (OMIMSSC) for SCCM and SCVMM versions prior to 7.2.1 contain a hard-coded cryptographic key vulnerability. A remote unauthenticated attacker may exploit this vulnerability to gain…
- CVE-2020-5667MEDIUMCVSS 5.5EG 5.52020-11-06
Studyplus App for Android v6.3.7 and earlier and Studyplus App for iOS v8.29.0 and earlier use a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing dat…
- CVE-2020-6265CRITICALCVSS 9.8EG 9.82020-06-09
SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to…
- CVE-2020-6779CRITICALCVSS 10.0EG 10.02021-01-26
Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in c…
- CVE-2020-6857MEDIUMCVSS 5.5EG 5.52020-01-21
CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary.
- CVE-2020-6882HIGHCVSS 7.5EG 7.52020-12-21
ZTE E8810/E8820/E8822 series routers have an information leak vulnerability, which is caused by hard-coded MQTT service access credentials on the device. The remote attacker could use this credential to connect to the MQTT server, so as to…
- CVE-2020-6963CRITICALCVSS 10.0EG 10.02020-01-24
In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, the affected products utilized hard coded S…
- CVE-2020-6979HIGHCVSS 7.5EG 7.52020-03-24
In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected products use a hard-coded cryptographic key, increasing the possibility that confidential data can be recovered.
- CVE-2020-6981CRITICALCVSS 9.8EG 9.82020-03-24
In Moxa EDS-G516E Series firmware, Version 5.2 or lower, an attacker may gain access to the system without proper authentication.
- CVE-2020-6983HIGHCVSS 7.5EG 7.52020-03-24
In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the affected products use a hard-coded cryptographic key, which increases the possibility that confidential data can be recovered.
- CVE-2020-6985CRITICALCVSS 9.8EG 9.82020-03-24
In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, these devices use a hard-coded service code for access to the console.
- CVE-2020-6990CRITICALCVSS 9.8EG 9.82020-03-16
Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the accoun…
- CVE-2020-7233CRITICALCVSS 9.8EG 9.82020-01-19
KMS Controls BAC-A1616BC BACnet devices have a cleartext password of snowman in the BACKDOOR_NAME variable in the BC_Logon.swf file.
- CVE-2020-7352HIGHCVSS 8.4EG 8.82020-08-06
The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permission…
- CVE-2020-7498CRITICALCVSS 9.8EG 9.82020-06-16
A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerabi…
- CVE-2020-7501HIGHCVSS 8.8EG 8.82020-06-16
A CWE-798: Use of Hard-coded Credentials vulnerability exists in Vijeo Designer Basic (V1.1 HotFix 16 and prior) and Vijeo Designer (V6.2 SP9 and prior) which could cause unauthorized read and write when downloading and uploading project o…
- CVE-2020-7515HIGHCVSS 7.8EG 7.82020-07-23
A CWE-321: Use of hard-coded cryptographic key stored in cleartext vulnerability exists in Easergy Builder V1.4.7.2 and prior which could allow an attacker to decrypt a password.
- CVE-2020-7846HIGHCVSS 8.0EG 8.02021-02-24
Helpcom before v10.0 contains a file download and execution vulnerability caused by storing hardcoded cryptographic key. It finally leads to a file download and execution via access to crafted web page.
- CVE-2020-7999CRITICALCVSS 9.8EG 9.82020-01-27
The Intellian Aptus application 1.0.2 for Android has hardcoded values for DOWNLOAD_API_KEY and FILE_DOWNLOAD_API_KEY.
- CVE-2020-8000CRITICALCVSS 9.8EG 9.82020-01-27
Intellian Aptus Web 1.24 has a hardcoded password of 12345678 for the intellian account.
- CVE-2020-8001CRITICALCVSS 9.8EG 9.82020-01-27
The Intellian Aptus application 1.0.2 for Android has a hardcoded password of intellian for the masteruser FTP account.
- CVE-2020-8573MEDIUMCVSS 6.5EG 6.52020-06-29
The NetApp HCI H610C, H615C and H610S Baseboard Management Controllers (BMC) are shipped with a documented default account and password that should be changed during the initial node setup. During upgrades to Element 11.8 and 12.0 or the C…
- CVE-2020-8657CRITICALCVSS 9.8EG 9.8⚠ KEV2020-02-06
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/gue…
- CVE-2020-8868CRITICALCVSS 9.8EG 9.82020-03-23
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest Foglight Evolve 9.0.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the __service__ us…
Map vulnerabilities like CWE-798 to your infrastructure
EchelonGraph correlates every CVE — across CWE-798 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →