CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2178 vulnerabilities reference this CWE, most recent first.
GHSA-HGH5-R35V-W387
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:28An issue was discovered in the Ascensia Contour NEXT ONE application for Android before 2019-01-15. It has a statically coded encryption key. Extraction of the encryption key is necessary for deciphering communications between this application and the backend server. This, in combination with retrieving any user's encrypted data from the Ascensia cloud through another vulnerability, allows an attacker to obtain and modify any patient's medical information.
{
"affected": [],
"aliases": [
"CVE-2018-18978"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-06T20:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the Ascensia Contour NEXT ONE application for Android before 2019-01-15. It has a statically coded encryption key. Extraction of the encryption key is necessary for deciphering communications between this application and the backend server. This, in combination with retrieving any user\u0027s encrypted data from the Ascensia cloud through another vulnerability, allows an attacker to obtain and modify any patient\u0027s medical information.",
"id": "GHSA-hgh5-r35v-w387",
"modified": "2024-04-04T00:28:50Z",
"published": "2022-05-24T16:45:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18978"
},
{
"type": "WEB",
"url": "https://depthsecurity.com/blog/medical-exploitation-you-are-now-diabetic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HGP9-3V5V-223J
Vulnerability from github – Published: 2025-04-03 21:32 – Updated: 2025-10-22 00:33Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: the CentreStack admin can manually delete the machineKey defined in portal\web.config.
{
"affected": [],
"aliases": [
"CVE-2025-30406"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-03T20:15:24Z",
"severity": "CRITICAL"
},
"details": "Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal\u0027s hardcoded machineKey use, which enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: the CentreStack admin can manually delete the machineKey defined in portal\\web.config.",
"id": "GHSA-hgp9-3v5v-223j",
"modified": "2025-10-22T00:33:16Z",
"published": "2025-04-03T21:32:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30406"
},
{
"type": "WEB",
"url": "https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf"
},
{
"type": "WEB",
"url": "https://www.centrestack.com/p/gce_latest_release.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30406"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HGV5-65GR-22WF
Vulnerability from github – Published: 2023-02-03 18:30 – Updated: 2023-02-10 15:30TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a hard code password for root which is stored in the component /etc/shadow.
{
"affected": [],
"aliases": [
"CVE-2023-24149"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-03T16:15:00Z",
"severity": "CRITICAL"
},
"details": "TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a hard code password for root which is stored in the component /etc/shadow.",
"id": "GHSA-hgv5-65gr-22wf",
"modified": "2023-02-10T15:30:27Z",
"published": "2023-02-03T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24149"
},
{
"type": "WEB",
"url": "https://github.com/Double-q1015/CVE-vulns/blob/main/totolink_ca300-poe/root_hard_code/root_hard_code.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HGXX-PHVQ-94MF
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-02-03 15:31IBM InfoSphere Information Server 11.7.1.0 stores a common hard coded encryption key that could be used to decrypt sensitive information. IBM X-Force ID: 159229.
{
"affected": [],
"aliases": [
"CVE-2019-4220"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-06T01:29:00Z",
"severity": "MODERATE"
},
"details": "IBM InfoSphere Information Server 11.7.1.0 stores a common hard coded encryption key that could be used to decrypt sensitive information. IBM X-Force ID: 159229.",
"id": "GHSA-hgxx-phvq-94mf",
"modified": "2023-02-03T15:31:17Z",
"published": "2022-05-24T22:00:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4220"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/159229"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10881197"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HH4C-6R3R-58Q8
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2023-02-04 00:30IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses hard coded credentials which could allow a local user to obtain highly sensitive information. IBM X-Force ID: 161035.
{
"affected": [],
"aliases": [
"CVE-2019-4309"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-29T00:15:00Z",
"severity": "LOW"
},
"details": "IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses hard coded credentials which could allow a local user to obtain highly sensitive information. IBM X-Force ID: 161035.",
"id": "GHSA-hh4c-6r3r-58q8",
"modified": "2023-02-04T00:30:37Z",
"published": "2022-05-24T22:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4309"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161035"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/1096348"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHGR-RPP9-9WHW
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login details from that file, including the login name and its associated password. Then, the credentials can be used to get database owner access to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and leads to admin access to the applications by inserting or changing authentication data stored in the Accounts table of the database.
{
"affected": [],
"aliases": [
"CVE-2021-25275"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-03T17:15:00Z",
"severity": "HIGH"
},
"details": "SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login details from that file, including the login name and its associated password. Then, the credentials can be used to get database owner access to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and leads to admin access to the applications by inserting or changing authentication data stored in the Accounts table of the database.",
"id": "GHSA-hhgr-rpp9-9whw",
"modified": "2022-05-24T17:40:55Z",
"published": "2022-05-24T17:40:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25275"
},
{
"type": "WEB",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HHH6-M9CR-Q5P4
Vulnerability from github – Published: 2022-07-26 00:00 – Updated: 2022-08-02 00:00IBM Security Verify Information Queue 10.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 230817.
{
"affected": [],
"aliases": [
"CVE-2022-35287"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T18:23:00Z",
"severity": "HIGH"
},
"details": "IBM Security Verify Information Queue 10.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 230817.",
"id": "GHSA-hhh6-m9cr-q5p4",
"modified": "2022-08-02T00:00:33Z",
"published": "2022-07-26T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35287"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230817"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6606827"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHP6-57MG-2WMW
Vulnerability from github – Published: 2022-05-17 04:43 – Updated: 2025-11-01 00:30Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.
{
"affected": [],
"aliases": [
"CVE-2014-2350"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-05-22T20:55:00Z",
"severity": "HIGH"
},
"details": "Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.",
"id": "GHSA-hhp6-57mg-2wmw",
"modified": "2025-11-01T00:30:25Z",
"published": "2022-05-17T04:43:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2350"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-133-02"
},
{
"type": "WEB",
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HHP8-Q7C4-JX53
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38The ifmap service that comes bundled with Juniper Networks Contrail releases uses hard coded credentials. Affected releases are Contrail releases 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
{
"affected": [],
"aliases": [
"CVE-2017-10616"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-13T17:29:00Z",
"severity": "MODERATE"
},
"details": "The ifmap service that comes bundled with Juniper Networks Contrail releases uses hard coded credentials. Affected releases are Contrail releases 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).",
"id": "GHSA-hhp8-q7c4-jx53",
"modified": "2022-05-13T01:38:22Z",
"published": "2022-05-13T01:38:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-qx9c-49m4-f3vj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10616"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10819"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHV4-J8VF-V2H8
Vulnerability from github – Published: 2024-09-30 09:30 – Updated: 2024-09-30 09:30Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges.
{
"affected": [],
"aliases": [
"CVE-2024-8450"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-30T07:15:04Z",
"severity": "HIGH"
},
"details": "Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges.",
"id": "GHSA-hhv4-j8vf-v2h8",
"modified": "2024-09-30T09:30:45Z",
"published": "2024-09-30T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8450"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8050-52f32-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8049-83fe4-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.