CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2174 vulnerabilities reference this CWE, most recent first.
GHSA-WGJ6-5J44-XMCV
Vulnerability from github – Published: 2022-05-17 03:41 – Updated: 2022-05-17 03:41ZModo ZP-NE14-S and ZP-IBH-13W devices have a hardcoded root password, which makes it easier for remote attackers to obtain access via a TELNET session.
{
"affected": [],
"aliases": [
"CVE-2016-5081"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-08-24T02:00:00Z",
"severity": "CRITICAL"
},
"details": "ZModo ZP-NE14-S and ZP-IBH-13W devices have a hardcoded root password, which makes it easier for remote attackers to obtain access via a TELNET session.",
"id": "GHSA-wgj6-5j44-xmcv",
"modified": "2022-05-17T03:41:03Z",
"published": "2022-05-17T03:41:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5081"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/301735"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92449"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGXM-G76M-VMCR
Vulnerability from github – Published: 2022-05-14 02:20 – Updated: 2022-05-14 02:20Harmonic NSG 9000 devices have a default password of nsgadmin for the admin account, a default password of nsgguest for the guest account, and a default password of nsgconfig for the config account.
{
"affected": [],
"aliases": [
"CVE-2018-14943"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-05T18:29:00Z",
"severity": "CRITICAL"
},
"details": "Harmonic NSG 9000 devices have a default password of nsgadmin for the admin account, a default password of nsgguest for the guest account, and a default password of nsgconfig for the config account.",
"id": "GHSA-wgxm-g76m-vmcr",
"modified": "2022-05-14T02:20:42Z",
"published": "2022-05-14T02:20:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14943"
},
{
"type": "WEB",
"url": "https://github.com/pudding2/NSG9000/blob/master/exp.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WH7X-5725-86JP
Vulnerability from github – Published: 2026-03-04 09:31 – Updated: 2026-03-17 18:30International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver contains hardcoded credentials for the monitor account. A remote unauthenticated attacker can use these trivial, undocumented credentials to access the system via SSH. While initially dropped into a restricted shell, the attacker can trivially break out to achieve standard shell functionality.
{
"affected": [],
"aliases": [
"CVE-2026-28776"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T08:16:13Z",
"severity": "HIGH"
},
"details": "International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver contains hardcoded credentials for the `monitor` account. A remote unauthenticated attacker can use these trivial, undocumented credentials to access the system via SSH. While initially dropped into a restricted shell, the attacker can trivially break out to achieve standard shell functionality.",
"id": "GHSA-wh7x-5725-86jp",
"modified": "2026-03-17T18:30:31Z",
"published": "2026-03-04T09:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28776"
},
{
"type": "WEB",
"url": "https://www.abdulmhsblog.com/posts/sfx2100-vulns"
},
{
"type": "WEB",
"url": "https://www.abdulmhsblog.com/posts/spfx-vulnrabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WHGX-FG89-G68C
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02IBM Security Identity Manager 7.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 200252.
{
"affected": [],
"aliases": [
"CVE-2021-29691"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-20T15:15:00Z",
"severity": "HIGH"
},
"details": "IBM Security Identity Manager 7.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 200252.",
"id": "GHSA-whgx-fg89-g68c",
"modified": "2022-05-24T19:02:51Z",
"published": "2022-05-24T19:02:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29691"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/200252"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6454587"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WHJV-65HM-X47G
Vulnerability from github – Published: 2025-09-05 21:32 – Updated: 2025-09-05 21:32A vulnerability was identified in Cudy LT500E up to 2.3.12. Affected is an unknown function of the file /squashfs-root/etc/shadow of the component Web Interface. The manipulation leads to use of hard-coded password. The attack must be carried out locally. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit is publicly available and might be used. Upgrading to version 2.3.13 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[T]he firmware does store a default password of 'admin'. This password has been deprecated since LT500E firmware version 2.3.13 and is no longer used. The LT500E does not have an administrator password set by default; a new password (at least 8 characters ) must be manually created upon first login the web management page."
{
"affected": [],
"aliases": [
"CVE-2025-9725"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-31T10:15:34Z",
"severity": "LOW"
},
"details": "A vulnerability was identified in Cudy LT500E up to 2.3.12. Affected is an unknown function of the file /squashfs-root/etc/shadow of the component Web Interface. The manipulation leads to use of hard-coded password. The attack must be carried out locally. The attack\u0027s complexity is rated as high. The exploitability is told to be difficult. The exploit is publicly available and might be used. Upgrading to version 2.3.13 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: \"[T]he firmware does store a default password of \u0027admin\u0027. This password has been deprecated since LT500E firmware version 2.3.13 and is no longer used. The LT500E does not have an administrator password set by default; a new password (at least 8 characters ) must be manually created upon first login the web management page.\"",
"id": "GHSA-whjv-65hm-x47g",
"modified": "2025-09-05T21:32:35Z",
"published": "2025-09-05T21:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9725"
},
{
"type": "WEB",
"url": "https://github.com/XXRicardo/iot-cve/blob/main/CUDY/LT500E-R42-2.3.13.md"
},
{
"type": "WEB",
"url": "https://github.com/XXRicardo/iot-cve/blob/main/CUDY/LT500E-R42-2.3.13.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.322014"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.322014"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.639346"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WJ2X-PW29-8R3P
Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01Use of Hard-coded Credentials in /var/www/xms/application/controllers/gatherLogs.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to interact with a web service.
{
"affected": [],
"aliases": [
"CVE-2018-11641"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-03T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Use of Hard-coded Credentials in /var/www/xms/application/controllers/gatherLogs.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to interact with a web service.",
"id": "GHSA-wj2x-pw29-8r3p",
"modified": "2022-05-14T03:01:04Z",
"published": "2022-05-14T03:01:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11641"
},
{
"type": "WEB",
"url": "https://d3adend.org/blog/?p=1398"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJ4M-C5PC-P9R9
Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials.
{
"affected": [],
"aliases": [
"CVE-2025-33089"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-17T20:22:03Z",
"severity": "MODERATE"
},
"details": "IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials.",
"id": "GHSA-wj4m-c5pc-p9r9",
"modified": "2026-02-17T21:31:14Z",
"published": "2026-02-17T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33089"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7260162"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJ4X-X659-777V
Vulnerability from github – Published: 2023-10-16 03:30 – Updated: 2024-04-04 08:38IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 256016.
{
"affected": [],
"aliases": [
"CVE-2023-33836"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-16T01:15:09Z",
"severity": "CRITICAL"
},
"details": "IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 256016.",
"id": "GHSA-wj4x-x659-777v",
"modified": "2024-04-04T08:38:58Z",
"published": "2023-10-16T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33836"
},
{
"type": "WEB",
"url": "https://https://exchange.xforce.ibmcloud.com/vulnerabilities/256016"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7047640"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJJV-3MJ2-39HF
Vulnerability from github – Published: 2026-05-29 19:23 – Updated: 2026-05-29 19:23The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct storage metadata access through raw SQL; fail-closed outbound worker secret handling; SMTP envelope/header control-character validation before command construction; and TLS certificate verification as the default for MailSender with an explicit opt-out for local development. Validation completed locally with targeted API/Core security tests plus API/Core builds. The security patch branch was not published publicly because te repository's SECURITY.md asks reporters not to open public vulnerability issues.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.31"
},
"package": {
"ecosystem": "npm",
"name": "@agenticmail/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.9"
},
"package": {
"ecosystem": "npm",
"name": "@agenticmail/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47255"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-284",
"CWE-319",
"CWE-798",
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T19:23:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct storage metadata access through raw SQL; fail-closed outbound worker secret handling; SMTP envelope/header control-character validation before command construction; and TLS certificate verification as the default for MailSender with an explicit opt-out for local development. Validation completed locally with targeted API/Core security tests plus API/Core builds. The security patch branch was not published publicly because te repository\u0027s SECURITY.md asks reporters not to open public vulnerability issues.",
"id": "GHSA-wjjv-3mj2-39hf",
"modified": "2026-05-29T19:23:29Z",
"published": "2026-05-29T19:23:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/security/advisories/GHSA-wjjv-3mj2-39hf"
},
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/commit/1408de543fa3577d8c2d4fdb289c75fe6faafac7"
},
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/commit/234b811e426a0743170f3b10bc43419d64330155"
},
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/commit/6c70c8254c906f823392d7f5ccee88a5481e7731"
},
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/commit/8cb053f2307dd77b7736ffa0d7df04b0ccc3272d"
},
{
"type": "PACKAGE",
"url": "https://github.com/agenticmail/agenticmail"
},
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/blob/7b9b05d973676e9f3d097c08b8e649f59bfc15d0/CHANGELOG.md?plain=1#L1842"
},
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/blob/7b9b05d973676e9f3d097c08b8e649f59bfc15d0/packages/core/src/mail/sender.ts#L33"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "AgenticMail API/storage and outbound relay hardening fixes"
}
GHSA-WJWM-57J9-GM6H
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to the re-use of static SSH keys across installations. An attacker could exploit this vulnerability by extracting a key from a system under their control. A successful exploit could allow the attacker to log in to an affected system as the root user.
{
"affected": [],
"aliases": [
"CVE-2021-40119"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-04T16:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to the re-use of static SSH keys across installations. An attacker could exploit this vulnerability by extracting a key from a system under their control. A successful exploit could allow the attacker to log in to an affected system as the root user.",
"id": "GHSA-wjwm-57j9-gm6h",
"modified": "2022-05-24T19:19:46Z",
"published": "2022-05-24T19:19:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40119"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cps-static-key-JmS92hNv"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.