CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2174 vulnerabilities reference this CWE, most recent first.
GHSA-VV58-J7F9-Q5XC
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure.
{
"affected": [],
"aliases": [
"CVE-2020-11483"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-29T04:15:00Z",
"severity": "CRITICAL"
},
"details": "NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure.",
"id": "GHSA-vv58-j7f9-q5xc",
"modified": "2022-05-24T17:32:29Z",
"published": "2022-05-24T17:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11483"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5010"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VVH3-7MM5-GQGF
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2023-10-04 18:30Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised.
{
"affected": [],
"aliases": [
"CVE-2020-36062"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-11T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised.",
"id": "GHSA-vvh3-7mm5-gqgf",
"modified": "2023-10-04T18:30:24Z",
"published": "2022-02-12T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36062"
},
{
"type": "WEB",
"url": "https://github.com/VivekPanday12/CVE-/issues/3"
},
{
"type": "WEB",
"url": "https://phpgurukul.com"
},
{
"type": "WEB",
"url": "https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VVV6-P6RR-P76R
Vulnerability from github – Published: 2023-08-04 18:30 – Updated: 2024-04-04 06:33Connected IO v2.1.0 and prior uses a hard-coded username/password pair embedded in their device's firmware used for device communication using MQTT. An attacker who gained access to these credentials is able to connect to the MQTT broker and send messages on behalf of devices, impersonating them. in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2023-33372"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-04T18:15:11Z",
"severity": "CRITICAL"
},
"details": "Connected IO v2.1.0 and prior uses a hard-coded username/password pair embedded in their device\u0027s firmware used for device communication using MQTT. An attacker who gained access to these credentials is able to connect to the MQTT broker and send messages on behalf of devices, impersonating them. in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.",
"id": "GHSA-vvv6-p6rr-p76r",
"modified": "2024-04-04T06:33:54Z",
"published": "2023-08-04T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33372"
},
{
"type": "WEB",
"url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33372"
},
{
"type": "WEB",
"url": "https://www.connectedio.com/products/routers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VVVR-4847-2P4F
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-18 00:01Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. The builds of telnetd_startup included in the version 22.5.9.163 of the K2 firmware, and version 32.1.15.93 of the K3C firmware (possibly amongst many other releases) included both the private and public RSA keys. The remaining versions cited here redacted the private key, but left the public key unchanged. An attacker in possession of the leaked private key may, through a scripted exchange of UDP packets, instruct telnetd_startup to spawn an unauthenticated telnet shell as root, by means of which they can then obtain complete control of the device. A consequence of the limited availablility of firmware images for testing is that models and versions not listed here may share this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-25217"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:47:00Z",
"severity": "HIGH"
},
"details": "Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. The builds of telnetd_startup included in the version 22.5.9.163 of the K2 firmware, and version 32.1.15.93 of the K3C firmware (possibly amongst many other releases) included both the private and public RSA keys. The remaining versions cited here redacted the private key, but left the public key unchanged. An attacker in possession of the leaked private key may, through a scripted exchange of UDP packets, instruct telnetd_startup to spawn an unauthenticated telnet shell as root, by means of which they can then obtain complete control of the device. A consequence of the limited availablility of firmware images for testing is that models and versions not listed here may share this vulnerability.",
"id": "GHSA-vvvr-4847-2p4f",
"modified": "2022-03-18T00:01:19Z",
"published": "2022-03-11T00:02:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25217"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2022-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VVW2-8CX5-FGFV
Vulnerability from github – Published: 2025-05-23 03:32 – Updated: 2025-05-23 03:32Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-2394"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T01:15:19Z",
"severity": "MODERATE"
},
"details": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.",
"id": "GHSA-vvw2-8cx5-fgfv",
"modified": "2025-05-23T03:32:38Z",
"published": "2025-05-23T03:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2394"
},
{
"type": "WEB",
"url": "https://www.ecovacs.com/global/userhelp/dsa20250507001"
},
{
"type": "WEB",
"url": "https://www.themissinglink.com.au/security-advisories/cve-2025-2394"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VW3Q-RHHX-6VH7
Vulnerability from github – Published: 2023-08-24 21:30 – Updated: 2024-04-04 07:11The LMS5xx uses hard-coded credentials, which potentially allow low-skilled unauthorized remote attackers to reconfigure settings and /or disrupt the functionality of the device.
{
"affected": [],
"aliases": [
"CVE-2023-4419"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-24T19:15:43Z",
"severity": "HIGH"
},
"details": "The LMS5xx uses hard-coded credentials, which potentially allow low-skilled\nunauthorized remote attackers to reconfigure settings and /or disrupt the functionality of the device.",
"id": "GHSA-vw3q-rhhx-6vh7",
"modified": "2024-04-04T07:11:41Z",
"published": "2023-08-24T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4419"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0007.json"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0007.pdf"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VW42-99FW-3P5G
Vulnerability from github – Published: 2026-05-07 18:30 – Updated: 2026-05-07 18:30Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.
{
"affected": [],
"aliases": [
"CVE-2026-7414"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-07T17:15:59Z",
"severity": "CRITICAL"
},
"details": "Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.",
"id": "GHSA-vw42-99fw-3p5g",
"modified": "2026-05-07T18:30:40Z",
"published": "2026-05-07T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7414"
},
{
"type": "WEB",
"url": "https://github.com/Bin4ry/yarbo-nat-in-my-back-yard"
},
{
"type": "WEB",
"url": "https://github.com/Bin4ry/yarbo-nat-in-my-back-yard#3--hardcoded-developer-credentials-in-production-apk"
},
{
"type": "WEB",
"url": "https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001111111111100011111111111000000000000000000000000000000000000000000000000000001000"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VW52-2PGM-8CJ2
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38Hard-coded accounts may be used to access Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.
{
"affected": [],
"aliases": [
"CVE-2015-3953"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-25T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Hard-coded accounts may be used to access Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.",
"id": "GHSA-vw52-2pgm-8cj2",
"modified": "2022-05-13T01:38:53Z",
"published": "2022-05-13T01:38:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3953"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWGH-XM6C-WQH8
Vulnerability from github – Published: 2025-03-18 21:32 – Updated: 2025-03-25 18:30An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardcoded credentials that provide unauthorized access to the dashcam's API endpoints on ports 9091 and 9092. Once the GNET SSID is connected to, the attacker sends a crafted authentication command with TibetList and 000000 to list settings of the dashcam at port 9091. There's a separate set of credentials for port 9092 (stream) that is also exposed in cleartext: admin + tibet. For settings, the required credentials are adim + 000000.
{
"affected": [],
"aliases": [
"CVE-2025-30137"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-18T20:15:26Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardcoded credentials that provide unauthorized access to the dashcam\u0027s API endpoints on ports 9091 and 9092. Once the GNET SSID is connected to, the attacker sends a crafted authentication command with TibetList and 000000 to list settings of the dashcam at port 9091. There\u0027s a separate set of credentials for port 9092 (stream) that is also exposed in cleartext: admin + tibet. For settings, the required credentials are adim + 000000.",
"id": "GHSA-vwgh-xm6c-wqh8",
"modified": "2025-03-25T18:30:52Z",
"published": "2025-03-18T21:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30137"
},
{
"type": "WEB",
"url": "https://github.com/geo-chen/GNET"
},
{
"type": "WEB",
"url": "https://www.gnetsystem.com/eng/product/list?viewMode=view\u0026idx=246\u0026ca_id=0201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWQR-4Q2W-739Q
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account.
{
"affected": [],
"aliases": [
"CVE-2020-9306"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-18T00:15:00Z",
"severity": "HIGH"
},
"details": "Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a \"Use of Hard-coded Credentials\" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account.",
"id": "GHSA-vwqr-4q2w-739q",
"modified": "2022-05-24T17:42:36Z",
"published": "2022-05-24T17:42:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9306"
},
{
"type": "WEB",
"url": "https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2020-0019/FEYE-2020-0019.md"
},
{
"type": "WEB",
"url": "https://www.fireeye.com/blog/threat-research.html"
},
{
"type": "WEB",
"url": "https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-one.html"
},
{
"type": "WEB",
"url": "https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-two.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.