Common Weakness Enumeration

CWE-798

Allowed-with-Review

Use of Hard-coded Credentials

Abstraction: Base · Status: Draft

The product contains hard-coded credentials, such as a password or cryptographic key.

2176 vulnerabilities reference this CWE, most recent first.

GHSA-PFFP-CH4H-4669

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-07-29 00:00
VLAI
Details

A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All Versions), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions). Devices create a new unique key upon factory reset, except when used with C-PLUG. When used with C-PLUG the devices use the hardcoded private RSA-key shipped with the firmware-image. An attacker could leverage this situation to a man-in-the-middle situation and decrypt previously captured traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-12T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All Versions), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions). Devices create a new unique key upon factory reset, except when used with C-PLUG. When used with C-PLUG the devices use the hardcoded private RSA-key shipped with the firmware-image. An attacker could leverage this situation to a man-in-the-middle situation and decrypt previously captured traffic.",
  "id": "GHSA-pffp-ch4h-4669",
  "modified": "2022-07-29T00:00:40Z",
  "published": "2022-05-24T17:38:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28391"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-274900.pdf"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-012-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFGG-8369-6X8V

Vulnerability from github – Published: 2025-12-13 18:30 – Updated: 2026-01-14 18:31
VLAI
Details

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-13T16:16:54Z",
    "severity": "CRITICAL"
  },
  "details": "Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented\u00a0credentials\u00a0which\u00a0allows significant level access to the device, such as\u00a0allowing any attacker to access the Setting\u00a0Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle.",
  "id": "GHSA-pfgg-8369-6x8v",
  "modified": "2026-01-14T18:31:16Z",
  "published": "2025-12-13T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36752"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2025-36752"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PFHR-QVV5-JQP2

Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21
VLAI
Details

D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x1 BACKDOOR value, which might allow remote attackers to obtain access via a TELNET connection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-19T07:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x1 BACKDOOR value, which might allow remote attackers to obtain access via a TELNET connection.",
  "id": "GHSA-pfhr-qvv5-jqp2",
  "modified": "2022-05-24T19:21:20Z",
  "published": "2022-05-24T19:21:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11436"
    },
    {
      "type": "WEB",
      "url": "http://www.rootlabs.com.br/backdoor-dlink-dir-615"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFJR-8V62-GMM9

Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31
VLAI
Details

Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36911"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T23:15:48Z",
    "severity": "CRITICAL"
  },
  "details": "Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system.",
  "id": "GHSA-pfjr-8v62-gmm9",
  "modified": "2026-01-14T00:31:26Z",
  "published": "2026-01-14T00:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36911"
    },
    {
      "type": "WEB",
      "url": "https://cobbr.io/Covenant.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cobbr/Covenant"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201013165001/https://twitter.com/cobbr_io/status/1316058367161401344"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201101052547/https://blog.null.farm/hunting-the-hunters"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51141"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/covenant-remote-code-execution-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PFMV-8P32-M4V6

Vulnerability from github – Published: 2022-12-06 00:30 – Updated: 2022-12-07 06:30
VLAI
Details

MegaRAC Default Credentials Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-05T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "MegaRAC Default Credentials Vulnerability",
  "id": "GHSA-pfmv-8p32-m4v6",
  "modified": "2022-12-07T06:30:26Z",
  "published": "2022-12-06T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40242"
    },
    {
      "type": "WEB",
      "url": "https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023001.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cp.ami.com/MegaRAC%20Security%20Advisory/SP-X/AMI_MegaRAC_SPx_Default_UID.pdf"
    },
    {
      "type": "WEB",
      "url": "https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PG72-259V-J753

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2024-04-04 02:54
VLAI
Details

The NetApp HCI H610S Baseboard Management Controller (BMC) is shipped with a documented default account and password that should be changed during the initial node setup. During upgrades to Element 11.8 and 12.0 the H610S BMC account password is reset to the default documented value which allows remote attackers to cause a Denial of Service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-29T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The NetApp HCI H610S Baseboard Management Controller (BMC) is shipped with a documented default account and password that should be changed during the initial node setup. During upgrades to Element 11.8 and 12.0 the H610S BMC account password is reset to the default documented value which allows remote attackers to cause a Denial of Service (DoS).",
  "id": "GHSA-pg72-259v-j753",
  "modified": "2024-04-04T02:54:44Z",
  "published": "2022-05-24T17:22:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8573"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200626-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PGQH-J5F3-P3CF

Vulnerability from github – Published: 2022-05-14 00:57 – Updated: 2024-03-21 03:33
VLAI
Details

** DISPUTED ** Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-02T13:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "** DISPUTED ** Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine.",
  "id": "GHSA-pgqh-j5f3-p3cf",
  "modified": "2024-03-21T03:33:25Z",
  "published": "2022-05-14T00:57:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11681"
    },
    {
      "type": "WEB",
      "url": "https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral"
    },
    {
      "type": "WEB",
      "url": "http://sadfud.me/explotos/CVE-2018-11629"
    },
    {
      "type": "WEB",
      "url": "http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PGRG-RVJM-C6VQ

Vulnerability from github – Published: 2022-12-07 12:30 – Updated: 2022-12-13 03:30
VLAI
Details

Use of hard-coded credentials vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to alter?configuration settings of the device. The affected products/versions are as follows: WZR-300HP firmware Ver. 2.00 and earlier, WZR-450HP firmware Ver. 2.00 and earlier, WZR-600DHP firmware Ver. 2.00 and earlier, WZR-900DHP firmware Ver. 1.15 and earlier, HW-450HP-ZWE firmware Ver. 2.00 and earlier, WZR-450HP-CWT firmware Ver. 2.00 and earlier, WZR-450HP-UB firmware Ver. 2.00 and earlier, WZR-600DHP2 firmware Ver. 1.15 and earlier, and WZR-D1100H firmware Ver. 2.00 and earlier.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-07T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Use of hard-coded credentials vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to alter?configuration settings of the device. The affected products/versions are as follows: WZR-300HP firmware Ver. 2.00 and earlier, WZR-450HP firmware Ver. 2.00 and earlier, WZR-600DHP firmware Ver. 2.00 and earlier, WZR-900DHP firmware Ver. 1.15 and earlier, HW-450HP-ZWE firmware Ver. 2.00 and earlier, WZR-450HP-CWT firmware Ver. 2.00 and earlier, WZR-450HP-UB firmware Ver. 2.00 and earlier, WZR-600DHP2 firmware Ver. 1.15 and earlier, and WZR-D1100H firmware Ver. 2.00 and earlier.",
  "id": "GHSA-pgrg-rvjm-c6vq",
  "modified": "2022-12-13T03:30:45Z",
  "published": "2022-12-07T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34840"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU92805279/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.buffalo.jp/news/detail/20221003-01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH4H-Q38C-6XG4

Vulnerability from github – Published: 2026-06-03 21:30 – Updated: 2026-06-04 15:30
VLAI
Details

Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-03T19:16:39Z",
    "severity": "HIGH"
  },
  "details": "Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.",
  "id": "GHSA-ph4h-q38c-6xg4",
  "modified": "2026-06-04T15:30:33Z",
  "published": "2026-06-03T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8876"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/595768"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH78-5Q58-GQXJ

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-03-03 18:30
VLAI
Details

A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle, as demonstrated by turning off the vehicle's lights.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-31T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle, as demonstrated by turning off the vehicle\u0027s lights.",
  "id": "GHSA-ph78-5q58-gqxj",
  "modified": "2023-03-03T18:30:27Z",
  "published": "2022-05-24T16:51:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12797"
    },
    {
      "type": "WEB",
      "url": "https://www.kth.se/polopoly_fs/1.914060.1561621279!/Ludvig%20and%20Daniel_final_dongles.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.kth.se/polopoly_fs/1.914063.1561621564!/Marstorp%20%26%20Lindstrom%2C%20Security%20Testing%20of%20an%20OBD-II%20Connected%20IoT%20Device.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.kth.se/polopoly_fs/1.917488.1564430206!/elm327.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
  • In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
Architecture and Design

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

Mitigation
Architecture and Design

If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.

Mitigation
Architecture and Design
  • For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
  • Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Architecture and Design
  • For front-end to back-end connections: Three solutions are possible, although none are complete.
  • The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
  • Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
  • Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

CAPEC-70: Try Common or Default Usernames and Passwords

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.