CWE-798— Use of Hard-coded Credentials

The vulnerability allows a remote attacker to authenticate to the SSH service with root privileges through a hidden hard-coded account.

SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes a…

Multisuns EasyLog web+ has a vulnerability of using hard-coded credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service.

Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with a…

Precor touchscreen console P62, P80, and P82 could allow a remote attacker (within the local network) to bypass security restrictions, and access the service menu, because there is a hard-coded service code.

Precor touchscreen console P82 contains a private SSH key that corresponds to a default public key. A remote attacker could exploit this to gain root privileges.

Precor touchscreen console P62, P80, and P82 could allow a remote attacker to obtain sensitive information because the root password is stored in /etc/passwd. An attacker could exploit this to extract files and obtain sensitive information.

Precor touchscreen console P62, P80, and P82 contains a default SSH public key in the authorized_keys file. A remote attacker could use this key to gain root privileges.

An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands as root.

Root user password is hardcoded into the device and cannot be changed in the user interface.

It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key.

Flient Smart Door Lock v1.0 is vulnerable to Use of Default Credentials. Due to default credentials on a debug interface, in combination with certain design choices, an attacker can unlock the Flient Smart Door Lock by replacing the finger…

Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28

IBM Storage Fusion HCI 2.1.0 through 2.6.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal…

In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials.

Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower Pro. An att…

D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DCS-8300LHV2 IP cameras. Authentication is not r…

Allegra Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. T…

DoraCMS 2.1.8 is vulnerable to Use of Hard-coded Cryptographic Key.

In KDE libksieve before 23.03.80, kmanagesieve/session.cpp places a cleartext password in server logs because a username variable is accidentally given a password value.

Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.

Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to gain full remote system control without complex …

A CWE-798 “Use of Hard-coded Credentials” vulnerability in the MariaDB database of the web application allows a remote unauthenticated attacker to access the database service and all included data with the same privileges of the web ap…

Weintek EasyBuilder Pro contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote co…

Use of Hard-coded Credentials vulnerability in Baicells Snap Router BaiCE_BMI on EP3011 (User Passwords modules) allows unauthorized access to the device.

Use of Hard-coded Credentials vulnerability in Utarit Information Technologies SoliPay Mobile App allows Read Sensitive Strings Within an Executable. This issue affects SoliPay Mobile App: before 5.0.8.

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert.

Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system.

Use of encryption key derived from static information in Synaptics Fingerprint Driver allows an attacker to set up a TLS session with the fingerprint sensor and send restricted commands to the fingerprint sensor. This may allow an atta…

INPRAX "iZZi connect" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access …

CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege escalation when logged in as a non-administrative user.

Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68.

A vulnerability in the .sdd file allows an attacker to read default passwords stored in plain text within the code. By exploiting these plaintext credentials, an attacker can log into affected SICK products as an “Authorized Client” if…

Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure…

A vulnerability, which was classified as problematic, has been found in Cosmote Greece What's Up App 4.47.3 on Android. This issue affects some unknown processing of the file gr/desquared/kmmsharedmodule/db/RealmDB.java of the component Re…

A vulnerability was found in mariazevedo88 travels-java-api up to 5.0.1 and classified as problematic. Affected by this issue is the function doFilterInternal of the file travels-java-api-master\src\main\java\io\github\mariazevedo88\travel…

A vulnerability was found in Intelligent Apps Freenow App 12.10.0 on Android. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ch/qos/logback/core/net/ssl/SSL.java of the component Keystore…

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.

A vulnerability has been found in E-Lins H685, H685f, H700, H720, H750, H820, H820Q, H820Q0 and H900 up to 3.2 and classified as critical. This vulnerability affects unknown code of the component OEM Backend. The manipulation leads to hard…

Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations. This issue affects Eurosoft Przychodnia soft…

Encrypted database credentials in LaborOfficeFree affecting version 19.10. This vulnerability allows an attacker to read and extract the username and password from the database of 'LOF_service.exe' and 'LaborOfficeFree.exe' located in the …

The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via hard-coded credentials. This makes it possible for unauthenti…

A vulnerability classified as problematic was found in Totolink X6000R 9.4.0cu.852_B20230719. Affected by this vulnerability is an unknown functionality of the file /etc/shadow. The manipulation leads to hard-coded credentials. It is possi…

A vulnerability in the backup feature of Cisco UCS Central Software could allow an attacker with access to a backup file to learn sensitive information that is stored in the full state and configuration backup files. This vulnerability …

A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could allow an unauthenticated, local attacker to access an affected system using static credentials. This vulnerabil…

A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user…

Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the product uses hard-coded credentials, which may allow an attacker to connect to a specific port.