Common Weakness Enumeration

CWE-1391

Allowed-with-Review

Use of Weak Credentials

Abstraction: Class · Status: Incomplete

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

98 vulnerabilities reference this CWE, most recent first.

CVE-2022-3010 (GCVE-0-2022-3010)

Vulnerability from cvelistv5 – Published: 2024-01-02 18:32 – Updated: 2025-06-04 19:17
VLAI
Title
Predictable SSH credentials in Priva TopControl Suite
Summary
The Priva TopControl Suite contains predictable credentials for the SSH service, based on the Serial number. Which makes it possible for an attacker to calculate the login credentials for the Priva TopControll suite.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Priva TopControl Suite - Bacnet Affected: All versions prior to 8.7.8.0 , < 8.7.8.0 (y.x.z.z)
Create a notification for this product.
Priva TopControl Suite - Blue ID Affected: All versions prior to 8.7.8.0 , < 8.7.8.0 (y.x.z)
Create a notification for this product.
Priva TopControl Suite - Compass Affected: All versions prior to 8.7.8.0 , < 8.7.8.0 (y.x.z)
Create a notification for this product.
Priva TopControl Suite - Connect Affected: All versions prior to 8.7.8.0 , < 8.7.8.0 (y.x.z)
Create a notification for this product.
Priva TopControl Suite - TPC Affected: All versions prior to 8.7.8.0 , < 8.7.8.0 (y.x.z)
Create a notification for this product.
Date Public
2022-12-22 11:00
Credits
A researcher at NorthWave reported this vulnerability to DIVD. Victor Pasman (DIVD)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:53:00.594Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://csirt.divd.nl/CVE-2022-3010"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-356-01"
          },
          {
            "tags": [
              "related",
              "x_transferred"
            ],
            "url": "https://csirt.divd.nl/DIVD-2022-00035"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-3010",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T18:43:54.412823Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T14:45:39.804Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "TopControl Suite - Bacnet",
          "vendor": "Priva",
          "versions": [
            {
              "lessThan": "8.7.8.0",
              "status": "affected",
              "version": "All versions prior to 8.7.8.0",
              "versionType": "y.x.z.z"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TopControl Suite - Blue ID",
          "vendor": "Priva",
          "versions": [
            {
              "lessThan": "8.7.8.0",
              "status": "affected",
              "version": "All versions prior to 8.7.8.0",
              "versionType": "y.x.z"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TopControl Suite - Compass",
          "vendor": "Priva",
          "versions": [
            {
              "lessThan": "8.7.8.0",
              "status": "affected",
              "version": "All versions prior to 8.7.8.0",
              "versionType": "y.x.z"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TopControl Suite - Connect",
          "vendor": "Priva",
          "versions": [
            {
              "lessThan": "8.7.8.0",
              "status": "affected",
              "version": "All versions prior to 8.7.8.0",
              "versionType": "y.x.z"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TopControl Suite - TPC",
          "vendor": "Priva",
          "versions": [
            {
              "lessThan": "8.7.8.0",
              "status": "affected",
              "version": "All versions prior to 8.7.8.0",
              "versionType": "y.x.z"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "A researcher at NorthWave reported this vulnerability to DIVD."
        },
        {
          "lang": "en",
          "type": "analyst",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Victor Pasman (DIVD)"
        }
      ],
      "datePublic": "2022-12-22T11:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Priva TopControl Suite contains\u0026nbsp;predictable credentials for the SSH service, based on the Serial number. Which makes it possible for an attacker to calculate the login credentials for the Priva TopControll suite."
            }
          ],
          "value": "The Priva TopControl Suite contains\u00a0predictable credentials for the SSH service, based on the Serial number. Which makes it possible for an attacker to calculate the login credentials for the Priva TopControll suite."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-560",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-560 Use of Known Domain Credentials"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1391",
              "description": "CWE-1391 Use of Weak Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T19:17:57.435Z",
        "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "shortName": "DIVD"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://csirt.divd.nl/CVE-2022-3010"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-356-01"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://csirt.divd.nl/DIVD-2022-00035"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Priva recommends users to contact their \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.priva.com/buildings/solutions/priva-building-operator#section-04\"\u003esupport team\u003c/a\u003e to upgrade to TopControl Suite version 8.7.8.0 or later.\u003cbr\u003eMinimize network exposure for all control system devices and/or systems, ensure that they are not directly accessible from the internet."
            }
          ],
          "value": "Priva recommends users to contact their  support team https://www.priva.com/buildings/solutions/priva-building-operator#section-04 \u00a0to upgrade to TopControl Suite version 8.7.8.0 or later.\nMinimize network exposure for all control system devices and/or systems, ensure that they are not directly accessible from the internet."
        }
      ],
      "source": {
        "advisory": "DIVD-2022-00035",
        "discovery": "EXTERNAL"
      },
      "title": "Predictable SSH credentials in Priva TopControl Suite",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
    "assignerShortName": "DIVD",
    "cveId": "CVE-2022-3010",
    "datePublished": "2024-01-02T18:32:22.947Z",
    "dateReserved": "2022-08-26T14:53:53.087Z",
    "dateUpdated": "2025-06-04T19:17:57.435Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2MR3-J246-X7X3

Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-07-25 18:30
VLAI
Details

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-25T08:15:31Z",
    "severity": "CRITICAL"
  },
  "details": "An unauthenticated attacker who knows the target device\u0027s serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device\u0027s serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request.",
  "id": "GHSA-2mr3-j246-x7x3",
  "modified": "2025-07-25T18:30:35Z",
  "published": "2025-06-26T21:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51978"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rapid7/metasploit-framework/pull/20349"
    },
    {
      "type": "WEB",
      "url": "https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-51978.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sfewer-r7/BrotherVulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://support.brother.com/g/b/link.aspx?prod=group2\u0026faqid=faq00100846_000"
    },
    {
      "type": "WEB",
      "url": "https://support.brother.com/g/b/link.aspx?prod=group2\u0026faqid=faq00100848_000"
    },
    {
      "type": "WEB",
      "url": "https://support.brother.com/g/b/link.aspx?prod=lmgroup1\u0026faqid=faqp00100620_000"
    },
    {
      "type": "WEB",
      "url": "https://www.bleepingcomputer.com/news/security/brother-printer-bug-in-689-models-exposes-default-admin-passwords"
    },
    {
      "type": "WEB",
      "url": "https://www.darkreading.com/endpoint-security/millions-brother-printers-critical-unpatchable-bug"
    },
    {
      "type": "WEB",
      "url": "https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2025-0001.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed"
    },
    {
      "type": "WEB",
      "url": "https://www.securityweek.com/new-vulnerabilities-expose-millions-of-brother-printers-to-hacking"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/20250625_02.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FGM-3M4R-2X8G

Vulnerability from github – Published: 2025-09-18 21:30 – Updated: 2025-09-18 21:30
VLAI
Details

Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard administrative means. An attacker with network access to the device can gain administrative access to the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T21:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "Dover Fueling Solutions ProGauge MagLink LX4 Devices\u00a0have default root credentials that cannot be changed through standard \nadministrative means. An attacker with network access to the device can \ngain administrative access to the system.",
  "id": "GHSA-3fgm-3m4r-2x8g",
  "modified": "2025-09-18T21:30:57Z",
  "published": "2025-09-18T21:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30519"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-07"
    },
    {
      "type": "WEB",
      "url": "https://www.doverfuelingsolutions.com/mea/en/products-and-solutions/automatic-tank-gauging/consoles/progauge-maglink-lx-4-console.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-47GJ-J96M-3HHG

Vulnerability from github – Published: 2024-02-02 00:31 – Updated: 2025-08-07 21:31
VLAI
Details

Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391",
      "CWE-287",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-01T22:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.",
  "id": "GHSA-47gj-j96m-3hhg",
  "modified": "2025-08-07T21:31:03Z",
  "published": "2024-02-02T00:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1039"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4XG9-H72C-FXFM

Vulnerability from github – Published: 2025-07-31 06:30 – Updated: 2025-07-31 06:30
VLAI
Details

ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T06:15:24Z",
    "severity": "HIGH"
  },
  "details": "ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices.",
  "id": "GHSA-4xg9-h72c-fxfm",
  "modified": "2025-07-31T06:30:32Z",
  "published": "2025-07-31T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53558"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN66546573"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-624F-P4GG-QWG2

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-28 12:30
VLAI
Details

Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number.

This issue was fixed in version 1.00B16CP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:39Z",
    "severity": "MODERATE"
  },
  "details": "Dlink\u00a0DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number.\n\nThis issue was fixed in version\u00a01.00B16CP.",
  "id": "GHSA-624f-p4gg-qwg2",
  "modified": "2026-05-28T12:30:34Z",
  "published": "2026-05-28T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4377"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2026/05/CVE-2026-4377"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/pl/pl/products/dwr-1820-cp#support"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-65FR-GPW6-J777

Vulnerability from github – Published: 2023-05-22 21:30 – Updated: 2024-04-04 04:16
VLAI
Details

Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-22T20:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nSnap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",
  "id": "GHSA-65fr-gpw6-j777",
  "modified": "2024-04-04T04:16:46Z",
  "published": "2023-05-22T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31240"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01"
    },
    {
      "type": "WEB",
      "url": "https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CX5-PCXX-59Q4

Vulnerability from github – Published: 2024-10-15 12:30 – Updated: 2024-10-15 12:30
VLAI
Details

An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-15T11:15:11Z",
    "severity": "HIGH"
  },
  "details": "An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost.",
  "id": "GHSA-7cx5-pcxx-59q4",
  "modified": "2024-10-15T12:30:37Z",
  "published": "2024-10-15T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45272"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2024-068"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2024-069"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RXX-X775-HWQ2

Vulnerability from github – Published: 2025-08-02 03:31 – Updated: 2025-11-03 21:34
VLAI
Details

Partner Software's Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-02T03:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "Partner Software\u0027s Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions.",
  "id": "GHSA-7rxx-x775-hwq2",
  "modified": "2025-11-03T21:34:17Z",
  "published": "2025-08-02T03:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6077"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/317469"
    },
    {
      "type": "WEB",
      "url": "https://partnersoftware.com/resources/software-release-info-4-32"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/317469"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WPM-58FR-6P69

Vulnerability from github – Published: 2025-02-06 21:32 – Updated: 2025-02-12 00:32
VLAI
Details

An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password generation algorithm in WiFi routers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1391",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-06T20:15:40Z",
    "severity": "HIGH"
  },
  "details": "An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password generation algorithm in WiFi routers.",
  "id": "GHSA-7wpm-58fr-6p69",
  "modified": "2025-02-12T00:32:15Z",
  "published": "2025-02-06T21:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22936"
    },
    {
      "type": "WEB",
      "url": "https://sec.stanev.org/advisories/Smartcom_default_WPA_password.txt"
    },
    {
      "type": "WEB",
      "url": "http://smartcom.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Operation

When the user changes or sets a password, check the password against a database of already compromised or breached passwords. These passwords are likely to be used in password guessing attacks.

No CAPEC attack patterns related to this CWE.