CWE-798— Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.— MITRE CWE catalog
1,625 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-798page 14 of 33
- CVE-2021-31579HIGHCVSS 8.2EG 8.22021-07-22
Akkadian Provisioning Manager Engine (PME) ships with a hard-coded credential, akkadianuser:haakkadianpassword. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and…
- CVE-2021-32454CRITICALCVSS 9.6EG 9.62021-05-17
SITEL CAP/PRX firmware version 5.2.01 makes use of a hardcoded password. An attacker with access to the device could modify these credentials, leaving the administrators of the device without access.
- CVE-2021-32459MEDIUMCVSS 6.5EG 6.52021-05-27
Trend Micro Home Network Security version 6.6.604 and earlier contains a hard-coded password vulnerability in the log collection server which could allow an attacker to use a specially crafted network request to lead to arbitrary authentic…
- CVE-2021-32520CRITICALCVSS 9.8EG 9.82021-07-07
Use of hard-coded cryptographic key vulnerability in QSAN Storage Manager allows attackers to obtain users’ credentials and related permissions. Suggest contacting with QSAN and refer to recommendations in QSAN Document.
- CVE-2021-32521HIGHCVSS 7.3EG 7.32021-07-07
Use of MAC address as an authenticated password in QSAN Storage Manager, XEVO, SANOS allows local attackers to escalate privileges. Suggest contacting with QSAN and refer to recommendations in QSAN Document.
- CVE-2021-32525CRITICALCVSS 9.1EG 9.12021-07-07
The same hard-coded password in QSAN Storage Manager's in the firmware allows remote attackers to access the control interface with the administrator’s credential, entering the hard-coded password of the debug mode to execute the restric…
- CVE-2021-32535CRITICALCVSS 9.8EG 9.82021-07-07
The vulnerability of hard-coded default credentials in QSAN SANOS allows unauthenticated remote attackers to obtain administrator’s permission and execute arbitrary functions. The referred vulnerability has been solved with the updated v…
- CVE-2021-32588CRITICALCVSS 9.8EG 9.82021-08-18
A use of hard-coded credentials (CWE-798) vulnerability in FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4 and below, versions 5.1.x and 5.0.x may allow a remote and unauthenticated attacker to execute unauthorized commands as…
- CVE-2021-32993HIGHCVSS 8.1EG 8.12021-12-27
IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) contains hard-coded credentials, such as a password or a cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption o…
- CVE-2021-33014HIGHCVSS 8.8EG 8.82022-05-26
An attacker can gain VxWorks Shell after login due to hard-coded credentials on a KUKA KR C4 control software for versions prior to 8.7 or any product running KSS.
- CVE-2021-33016CRITICALCVSS 9.8EG 9.82022-05-26
An attacker can gain full access (read/write/delete) to sensitive folders due to hard-coded credentials on KUKA KR C4 control software for versions prior to 8.7 or any product running KSS.
- CVE-2021-33218CRITICALCVSS 9.8EG 9.82021-07-07
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Hard-coded System Passwords that provide shell access.
- CVE-2021-33219CRITICALCVSS 9.8EG 9.82021-07-07
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Hard-coded Web Application Administrator Passwords for the admin and nplus1user accounts.
- CVE-2021-33220HIGHCVSS 7.8EG 7.82021-07-07
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist.
- CVE-2021-33484HIGHCVSS 7.5EG 7.52021-09-07
An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. An attacker can download a copy of the installer, decompile it, and discover a hardcoded IV used to encrypt the username and userid in the comment POST request.…
- CVE-2021-33529HIGHCVSS 7.5EG 7.52021-06-25
In Weidmueller Industrial WLAN devices in multiple versions the usage of hard-coded cryptographic keys within the service agent binary allows for the decryption of captured traffic across the network from or to the device.
- CVE-2021-33531HIGHCVSS 8.8EG 8.82021-06-25
In Weidmueller Industrial WLAN devices in multiple versions an exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities. The device operating system contains an undocumented encryption password, allowing fo…
- CVE-2021-33540HIGHCVSS 7.3EG 7.32021-06-25
In certain devices of the Phoenix Contact AXL F BK and IL BK product families an undocumented password protected FTP access to the root directory exists.
- CVE-2021-33583CRITICALCVSS 9.8EG 9.82021-09-30
REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa password that is hardcoded in the TCServer.jar file.
- CVE-2021-34565CRITICALCVSS 9.8EG 9.82021-08-31
In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials.
- CVE-2021-34571MEDIUMCVSS 6.5EG 6.52021-09-16
Multiple Wireless M-Bus devices by Enbra use Hard-coded Credentials in Security mode 5 without an option to change the encryption key. An adversary can learn all information that is available in Enbra EWM.
- CVE-2021-34577MEDIUMCVSS 6.5EG 6.52022-11-09
In the Kaden PICOFLUX AiR water meter an adversary can read the values through wireless M-Bus mode 5 with a hardcoded shared key while being adjacent to the device.
- CVE-2021-34601CRITICALCVSS 9.8EG 9.82022-04-27
In Bender/ebee Charge Controllers in multiple versions are prone to Hardcoded Credentials. Bender charge controller CC612 in version 5.20.1 and below is prone to hardcoded ssh credentials. An attacker may use the password to gain administr…
- CVE-2021-34688LOWCVSS 3.3EG 3.32021-07-15
iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A locally authenticated attacker can read an encrypted version of the system's Personal Key in world-readable %PROGRAMDATA% log files. The encryption is done using a h…
- CVE-2021-34744MEDIUMCVSS 4.9EG 4.92021-10-06
Multiple vulnerabilities in Cisco Business 220 Series Smart Switches firmware could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. For more informatio…
- CVE-2021-34757MEDIUMCVSS 4.9EG 5.52021-10-06
Multiple vulnerabilities in Cisco Business 220 Series Smart Switches firmware could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. For more informatio…
- CVE-2021-34795CRITICALCVSS 10.0EG 9.82021-11-04
Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following acti…
- CVE-2021-34812MEDIUMCVSS 5.8EG 5.82021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
- CVE-2021-35232MEDIUMCVSS 6.8EG 6.12021-12-27
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage th…
- CVE-2021-35252HIGHCVSS 7.5EG 7.52022-12-16
Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.
- CVE-2021-3565MEDIUMCVSS 5.9EG 5.92021-06-04
A flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highe…
- CVE-2021-35961CRITICALCVSS 9.8EG 9.82021-07-16
Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission.
- CVE-2021-36224CRITICALCVSS 9.8EG 9.82023-02-06
Western Digital My Cloud devices before OS5 have a nobody account with a blank password.
- CVE-2021-36234MEDIUMCVSS 5.5EG 5.52021-08-31
Use of a hard-coded cryptographic key in MIK.starlight 7.9.5.24363 allows local users to decrypt credentials via unspecified vectors.
- CVE-2021-36751MEDIUMCVSS 4.2EG 9.12022-01-02
ENC DataVault 7.2.3 and before, and OEM versions, use an encryption algorithm that is vulnerable to data manipulation (without knowledge of the key). This is called ciphertext malleability. There is no data integrity mechanism to detect th…
- CVE-2021-36799HIGHCVSS 8.8EG 8.82021-07-19
KNX ETS5 through 5.7.6 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information. NOTE: This vulnerability only affects products that are no longer supported by the main…
- CVE-2021-37163CRITICALCVSS 9.8EG 9.82021-08-02
An insecure permissions issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus operated by released versions of software before Nexus Software 7.2.5.7. The device has two user accounts with passwords that are hardcoded.
- CVE-2021-37555CRITICALCVSS 9.8EG 9.82021-07-26
TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the default password of 059AnkJ for the root account. The use…
- CVE-2021-38456CRITICALCVSS 9.8EG 9.82021-10-12
A use of hard-coded password vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to gain access through accounts using default passwords
- CVE-2021-38461HIGHCVSS 8.2EG 8.22021-10-22
The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.
- CVE-2021-38969CRITICALCVSS 9.8EG 9.82022-05-11
IBM Spectrum Virtualize 8.2, 8.3, and 8.4 could allow an attacker to allow unauthorized access due to the reuse of support generated credentials. IBM X-Force ID: 212609.
- CVE-2021-39245HIGHCVSS 7.5EG 7.52021-08-23
Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nex…
- CVE-2021-39613CRITICALCVSS 9.8EG 9.82021-08-23
D-Link DVG-3104MS version 1.0.2.0.3, 1.0.2.0.4, and 1.0.2.0.4E contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the ha…
- CVE-2021-39614CRITICALCVSS 9.8EG 9.82021-08-23
D-Link DVX-2000MS contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values.
- CVE-2021-39615CRITICALCVSS 9.8EG 9.82021-08-23
D-Link DSR-500N version 1.02 contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file.If an attacker succeeds in recovering the cleartext password of the identified hash value, he will be able to log in via …
- CVE-2021-40119CRITICALCVSS 9.8EG 9.82021-11-04
A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to the re-use of static SSH key…
- CVE-2021-40342HIGHCVSS 7.1EG 9.82023-01-05
In the DES implementation, the affected product versions use a default key for encryption. Successful exploitation allows an attacker to obtain sensitive information and gain access to the network elements that are managed by the affected…
- CVE-2021-40390CRITICALCVSS 9.8EG 9.82022-04-14
An authentication bypass vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. A specially-crafted HTTP request can lead to unauthorized access. An attacker can send an HTTP request to trigger this vulnerab…
- CVE-2021-40422CRITICALCVSS 10.0EG 10.02022-04-14
An authentication bypass vulnerability exists in the device password generation functionality of Swift Sensors Gateway SG3-1010. A specially-crafted network request can lead to remote code execution. An attacker can send a sequence of requ…
- CVE-2021-40494CRITICALCVSS 9.8EG 9.82021-09-03
A Hardcoded JWT Secret Key in metadata.py in AdaptiveScale LXDUI through 2.1.3 allows attackers to gain admin access to the host system.
Map vulnerabilities like CWE-798 to your infrastructure
EchelonGraph correlates every CVE — across CWE-798 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →