CWE-259
Use of Hard-coded Password
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CVE-2012-5862 (GCVE-0-2012-5862)
Vulnerability from cvelistv5
Published
2012-11-23 11:00
Modified
2025-07-08 15:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
These Sinapsi devices
store hard-coded passwords in the PHP file of the device. By using the
hard-coded passwords in the device, attackers can log into the device
with administrative privileges. This could allow the attacker to have
unauthorized access.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.exploit-db.com/exploits/21273/ | exploit, x_refsource_EXPLOIT-DB | |
| http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html | mailing-list, x_refsource_BUGTRAQ | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/80200 | vdb-entry, x_refsource_XF | |
| https://www.cisa.gov/news-events/ics-advisories/icsa-12-325-01 | ||
| http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Sinapsi | eSolar |
Version: 0 < 2.0.2870_xxx_2.2.12 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:21:27.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "21273",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/21273/"
},
{
"name": "20120911 Multiple vulnerabilities in Ezylog photovoltaic management server",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html"
},
{
"name": "sinapsi-default-password(80200)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80200"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sinapsitech.it/default.asp?active_page_id=78\u0026news_id=88"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "eSolar",
"vendor": "Sinapsi",
"versions": [
{
"lessThan": "2.0.2870_xxx_2.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "eSolar DUO",
"vendor": "Sinapsi",
"versions": [
{
"lessThan": "2.0.2870_xxx_2.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "eSolar Light",
"vendor": "Sinapsi",
"versions": [
{
"lessThan": "2.0.2870_xxx_2.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Roberto Paleari and Ivan Speziale identified vulnerabilities and released proof-of-concept (exploit) code for the Sinapsi eSolar Light Photovoltaic System Monitor without coordination with Sinapsi or ICS-CERT."
}
],
"datePublic": "2012-09-11T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "These Sinapsi devices\nstore hard-coded passwords in the PHP file of the device. By using the \nhard-coded passwords in the device, attackers can log into the device \nwith administrative privileges. This could allow the attacker to have \nunauthorized access."
}
],
"value": "These Sinapsi devices\nstore hard-coded passwords in the PHP file of the device. By using the \nhard-coded passwords in the device, attackers can log into the device \nwith administrative privileges. This could allow the attacker to have \nunauthorized access."
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T15:29:24.539Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "21273",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/21273/"
},
{
"name": "20120911 Multiple vulnerabilities in Ezylog photovoltaic management server",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html"
},
{
"name": "sinapsi-default-password(80200)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80200"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-12-325-01"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sinapsitech.it/default.asp?active_page_id=78\u0026news_id=88"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sinapsi has developed a new firmware version 2.0.2870_2.2.12 that \nmitigates these vulnerabilities. Sinapsi released the new firmware on \nMonday, November 19, 2012 directly to the devices. Users will be able to\n manually download the firmware on their device by using the Firmware \nUpdate function in the System Menu in the device\u2019s Web interface. \nSinapsi has also posted a security newsletter to its \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.sinapsitech.it/default.asp?active_page_id=78\u0026amp;news_id=88\"\u003epublic Web site\u003c/a\u003e\u0026nbsp;.\u003cp\u003eOther affected vendors have been notified by Sinapsi and ICS-CERT, \nbut the availability of new firmware upgrades are unknown by ICS-CERT at\n this time.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Sinapsi has developed a new firmware version 2.0.2870_2.2.12 that \nmitigates these vulnerabilities. Sinapsi released the new firmware on \nMonday, November 19, 2012 directly to the devices. Users will be able to\n manually download the firmware on their device by using the Firmware \nUpdate function in the System Menu in the device\u2019s Web interface. \nSinapsi has also posted a security newsletter to its public Web site http://www.sinapsitech.it/default.asp \u00a0.Other affected vendors have been notified by Sinapsi and ICS-CERT, \nbut the availability of new firmware upgrades are unknown by ICS-CERT at\n this time."
}
],
"source": {
"advisory": "ICSA-12-325-01",
"discovery": "EXTERNAL"
},
"title": "Sinapsi eSolar Hard-Coded Password",
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-5862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "login.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 establishes multiple hardcoded accounts, which makes it easier for remote attackers to obtain administrative access by leveraging a (1) cleartext password or (2) password hash contained in this script, as demonstrated by a password of astridservice or 36e44c9b64."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "21273",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/21273/"
},
{
"name": "20120911 Multiple vulnerabilities in Ezylog photovoltaic management server",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html"
},
{
"name": "sinapsi-default-password(80200)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80200"
},
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf"
},
{
"name": "http://www.sinapsitech.it/default.asp?active_page_id=78\u0026news_id=88",
"refsource": "CONFIRM",
"url": "http://www.sinapsitech.it/default.asp?active_page_id=78\u0026news_id=88"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-5862",
"datePublished": "2012-11-23T11:00:00",
"dateReserved": "2012-11-14T00:00:00",
"dateUpdated": "2025-07-08T15:29:24.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36609 (GCVE-0-2025-36609)
Vulnerability from cvelistv5
Published
2025-07-30 18:14
Modified
2025-07-30 18:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-259 - Use of Hard-coded Password
Summary
Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains a Use of Hard-coded Password vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dell | SmartFabric OS10 Software |
Version: N/A ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T18:30:48.438199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T18:31:00.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SmartFabric OS10 Software",
"vendor": "Dell",
"versions": [
{
"lessThan": "10.6.0.5",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-07-17T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains a Use of Hard-coded Password vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.\u003cbr\u003e"
}
],
"value": "Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains a Use of Hard-coded Password vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259: Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T18:14:01.641Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000346195/dsa-2025-259-security-update-for-dell-networking-os10-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-36609",
"datePublished": "2025-07-30T18:14:01.641Z",
"dateReserved": "2025-04-15T21:32:46.456Z",
"dateUpdated": "2025-07-30T18:31:00.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3920 (GCVE-0-2025-3920)
Vulnerability from cvelistv5
Published
2025-07-07 08:21
Modified
2025-07-07 17:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-259 - Use of Hard-coded Password
Summary
A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application's installation directory could extract these credentials, potentially leading to a complete compromise of the application's administrative functions. This issue was fixed in version 2025.03.27 of the SUR-FBD CMMS software.
References
| ▼ | URL | Tags |
|---|---|---|
| https://cert.pl/en/posts/2025/07/CVE-2025-3920/ | third-party-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SUR-FBD CMMS | SUR-FBD CMMS |
Version: 0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T17:46:22.395207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T17:50:28.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SUR-FBD CMMS",
"vendor": "SUR-FBD CMMS",
"versions": [
{
"lessThan": "2025.03.27",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thomas Hayen (Easi)"
}
],
"datePublic": "2025-07-07T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application\u0027s installation directory could extract these credentials, potentially leading to a complete compromise of the application\u0027s administrative functions.\u0026nbsp;This issue was fixed in version 2025.03.27 of the SUR-FBD CMMS software."
}
],
"value": "A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application\u0027s installation directory could extract these credentials, potentially leading to a complete compromise of the application\u0027s administrative functions.\u00a0This issue was fixed in version 2025.03.27 of the SUR-FBD CMMS software."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T08:21:54.231Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/07/CVE-2025-3920/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hard-coded Password in SUR-FBD CMMS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-3920",
"datePublished": "2025-07-07T08:21:54.231Z",
"dateReserved": "2025-04-24T12:25:08.415Z",
"dateUpdated": "2025-07-07T17:50:28.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-44955 (GCVE-0-2025-44955)
Vulnerability from cvelistv5
Published
2025-08-04 00:00
Modified
2025-08-04 16:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-259 - Use of Hard-coded Password
Summary
RUCKUS Network Director (RND) before 4.5 allows jailed users to obtain root access vis a weak, hardcoded password.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RUCKUS | Network Director |
Version: 0 < 4.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-44955",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T16:25:47.910155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T16:50:39.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Network Director",
"vendor": "RUCKUS",
"versions": [
{
"lessThan": "4.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RUCKUS Network Director (RND) before 4.5 allows jailed users to obtain root access vis a weak, hardcoded password."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T15:56:50.694Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/613753"
},
{
"url": "https://claroty.com/team82/disclosure-dashboard/cve-2025-44955"
},
{
"url": "https://webresources.commscope.com/download/assets/FAQ+Security+Advisory%3A+ID+20250710/225f44ac3bd311f095821adcaa92e24e"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-44955",
"datePublished": "2025-08-04T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-08-04T16:50:39.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47818 (GCVE-0-2025-47818)
Vulnerability from cvelistv5
Published
2025-06-27 00:00
Modified
2025-09-02 16:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-259 - Use of Hard-coded Password
Summary
Flock Safety Gunshot Detection devices before 1.3 have a hard-coded password for a connection.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Flock Safety | Gunshot Detection devices |
Version: 0 < 1.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47818",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-30T18:51:56.475838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T18:54:49.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gunshot Detection devices",
"vendor": "Flock Safety",
"versions": [
{
"lessThan": "1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flock Safety Gunshot Detection devices before 1.3 have a hard-coded password for a connection."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T16:22:58.439Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.flocksafety.com/articles/gunshot-detection-and-license-plate-reader-security-alert"
},
{
"url": "https://gainsec.com/2025/06/19/bird-hunting-season-security-research-on-flock-safety-anti-crime-systems/"
},
{
"url": "https://gainsec.com/wp-content/uploads/2025/06/flock-safety-researcher-summary.pdf"
},
{
"url": "https://gainsec.com/2025/06/19/plucked-and-rooted-device-1-debug-shell-on-flock-safetys-raven-gunshot-detection-system/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47818",
"datePublished": "2025-06-27T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-09-02T16:22:58.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47821 (GCVE-0-2025-47821)
Vulnerability from cvelistv5
Published
2025-06-27 00:00
Modified
2025-09-02 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-259 - Use of Hard-coded Password
Summary
Flock Safety Gunshot Detection devices before 1.3 have a hardcoded password for a system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Flock Safety | Gunshot Detection devices |
Version: 0 < 1.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47821",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-30T18:51:31.466750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T18:56:27.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gunshot Detection devices",
"vendor": "Flock Safety",
"versions": [
{
"lessThan": "1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flock Safety Gunshot Detection devices before 1.3 have a hardcoded password for a system."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T16:27:32.117Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.flocksafety.com/articles/gunshot-detection-and-license-plate-reader-security-alert"
},
{
"url": "https://gainsec.com/2025/06/19/bird-hunting-season-security-research-on-flock-safety-anti-crime-systems/"
},
{
"url": "https://gainsec.com/wp-content/uploads/2025/06/flock-safety-researcher-summary.pdf"
},
{
"url": "https://gainsec.com/2025/06/19/plucked-and-rooted-device-1-debug-shell-on-flock-safetys-raven-gunshot-detection-system/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47821",
"datePublished": "2025-06-27T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-09-02T16:27:32.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47823 (GCVE-0-2025-47823)
Vulnerability from cvelistv5
Published
2025-06-27 00:00
Modified
2025-09-02 16:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-259 - Use of Hard-coded Password
Summary
Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have a hardcoded password for a system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Flock Safety | License Plate Reader |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-30T18:50:10.052853Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T18:50:27.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "License Plate Reader",
"vendor": "Flock Safety",
"versions": [
{
"lessThanOrEqual": "2.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have a hardcoded password for a system."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T16:13:25.835Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.flocksafety.com/articles/gunshot-detection-and-license-plate-reader-security-alert"
},
{
"url": "https://gainsec.com/2025/06/19/bird-hunting-season-security-research-on-flock-safety-anti-crime-systems/"
},
{
"url": "https://gainsec.com/2025/06/19/grounded-flight-device-2-root-shell-on-flock-safetys-falcon-sparrow-automated-license-plate-reader/"
},
{
"url": "https://gainsec.com/wp-content/uploads/2025/06/flock-safety-researcher-summary.pdf"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47823",
"datePublished": "2025-06-27T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-09-02T16:13:25.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54754 (GCVE-0-2025-54754)
Vulnerability from cvelistv5
Published
2025-09-18 21:06
Modified
2025-09-19 13:04
Severity ?
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.6 (High) - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.6 (High) - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
Summary
An attacker with adjacent access, without authentication, can exploit
this vulnerability to retrieve a hard-coded password embedded in
publicly available software. This password can then be used to decrypt
sensitive network traffic, affecting the Cognex device.
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Cognex | In-Sight 2000 series |
Version: 5.x < |
|||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T13:03:56.638904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:04:14.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "In-Sight 2000 series",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "In-Sight 7000 series",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "In-Sight 8000 series",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "In-Sight 9000 series",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "In-Sight Explorer",
"vendor": "Cognex",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diego Giubertoni of Nozomi Networks reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker with adjacent access, without authentication, can exploit \nthis vulnerability to retrieve a hard-coded password embedded in \npublicly available software. This password can then be used to decrypt \nsensitive network traffic, affecting the Cognex device."
}
],
"value": "An attacker with adjacent access, without authentication, can exploit \nthis vulnerability to retrieve a hard-coded password embedded in \npublicly available software. This password can then be used to decrypt \nsensitive network traffic, affecting the Cognex device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T21:06:15.053Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06"
}
],
"source": {
"advisory": "ICSA-25-261-06",
"discovery": "EXTERNAL"
},
"title": "Cognex In-Sight Explorer and In-Sight Camera Firmware Use of Hard-coded Password",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cognex reports that In-Sight Explorer based vision systems are legacy \nproducts not intended for new applications. To reduce risk, asset owners\n are advised to switch to next generation In-Sight Vision Suite based \nvision systems, such as the In-Sight 2800, In-Sight 3800, In-Sight 8900 \nseries embedded cameras.\n\n\u003cbr\u003e"
}
],
"value": "Cognex reports that In-Sight Explorer based vision systems are legacy \nproducts not intended for new applications. To reduce risk, asset owners\n are advised to switch to next generation In-Sight Vision Suite based \nvision systems, such as the In-Sight 2800, In-Sight 3800, In-Sight 8900 \nseries embedded cameras."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-54754",
"datePublished": "2025-09-18T21:06:15.053Z",
"dateReserved": "2025-08-06T16:32:41.245Z",
"dateUpdated": "2025-09-19T13:04:14.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57788 (GCVE-0-2025-57788)
Vulnerability from cvelistv5
Published
2025-08-20 00:00
Modified
2025-09-11 14:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-259 - Use of Hard-coded Password
Summary
A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:02:08.558353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:02:30.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/#wt-2025-0047hardcoded-credentials"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CommCell",
"vendor": "Commvault",
"versions": [
{
"lessThanOrEqual": "11.32.101",
"status": "affected",
"version": "11.32.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.36.59",
"status": "affected",
"version": "11.36.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sonny and Piotr Bazydlo (@chudyPB) of watchTowr"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259: Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:00:55.240Z",
"orgId": "050066fd-a2f9-4f32-ab5d-4c53f48bc333",
"shortName": "Commvault"
},
"references": [
{
"url": "https://documentation.commvault.com/securityadvisories/CV_2025_08_3.html"
}
],
"title": "Unauthorized API Access Risk"
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-57788",
"datePublished": "2025-08-20T00:00:00.000Z",
"dateReserved": "2025-08-19T00:00:00.000Z",
"dateUpdated": "2025-09-11T14:02:30.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58081 (GCVE-0-2025-58081)
Vulnerability from cvelistv5
Published
2025-08-28 08:28
Modified
2025-08-28 13:43
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-259 - Use of hard-coded password
Summary
Use of hard-coded password issue/vulnerability in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to view arbitrary files with root privileges.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DOS Co., Ltd. | SS1 |
Version: Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) (Affected under MacOS environment only) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T13:42:28.909872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T13:43:05.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SS1",
"vendor": "DOS Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) (Affected under MacOS environment only)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of hard-coded password issue/vulnerability in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to view arbitrary files with root privileges."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of hard-coded password",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T08:28:38.426Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.dos-osaka.co.jp/news/2025/08/250827.html"
},
{
"url": "https://jvn.jp/en/jp/JVN99577552/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-58081",
"datePublished": "2025-08-28T08:28:38.426Z",
"dateReserved": "2025-08-25T06:42:29.610Z",
"dateUpdated": "2025-08-28T13:43:05.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Mitigation
Phase: Architecture and Design
Description:
- For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Mitigation
Phase: Architecture and Design
Description:
- Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
Phase: Architecture and Design
Description:
- For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved.
- Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Phase: Architecture and Design
Description:
- For front-end to back-end connections: Three solutions are possible, although none are complete.
No CAPEC attack patterns related to this CWE.