CWE-798— Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.— MITRE CWE catalog
1,625 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-798page 20 of 33
- CVE-2023-21426MEDIUMCVSS 4.3EG 5.52023-02-09
Hardcoded AES key to encrypt cardemulation PINs in NFC prior to SMR Jan-2023 Release 1 allows attackers to access cardemulation PIN.
- CVE-2023-21524HIGHCVSS 7.8EG 7.82023-01-10
Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
- CVE-2023-2158CRITICALCVSS 9.8EG 9.82023-04-27
Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-cod…
- CVE-2023-21652HIGHCVSS 7.7EG 7.72023-08-08
Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use.
- CVE-2023-22344CRITICALCVSS 9.8EG 9.82023-03-06
Use of hard-coded credentials vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to obtain the password of the debug tool and execute it. As a result of exploiting this…
- CVE-2023-22429HIGHCVSS 7.8EG 7.82023-04-11
Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials (API key for an external service), which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application …
- CVE-2023-22463CRITICALCVSS 9.8EG 9.82023-01-04
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over t…
- CVE-2023-22495CRITICALCVSS 9.8EG 9.82023-01-14
Izanami is a shared configuration service well-suited for micro-service architecture implementation. Attackers can bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is …
- CVE-2023-2291HIGHCVSS 7.8EG 7.82023-04-26
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration …
- CVE-2023-22956HIGHCVSS 7.5EG 7.52023-08-11
An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of a hard-coded cryptographic key, an attacker is able to decrypt encrypted configuration files and retrieve sensitive information.
- CVE-2023-22957HIGHCVSS 7.5EG 7.52023-08-11
An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is able to decrypt encrypted values and re…
- CVE-2023-2306CRITICALCVSS 10.0EG 10.02023-10-05
Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify datab…
- CVE-2023-23132HIGHCVSS 7.5EG 7.52023-02-01
Selfwealth iOS mobile App 3.3.1 is vulnerable to Sensitive key disclosure. The application reveals hardcoded API keys.
- CVE-2023-23324CRITICALCVSS 9.8EG 9.82023-11-29
Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account.
- CVE-2023-23770CRITICALCVSS 9.4EG 9.42023-08-29
Motorola MBTS Site Controller accepts hard-coded backdoor password. The Motorola MBTS Site Controller Man Machine Interface (MMI), allowing for service technicians to diagnose and configure the device, accepts a hard-coded backdoor passwor…
- CVE-2023-23771HIGHCVSS 8.4EG 8.42023-08-29
Motorola MBTS Base Radio accepts hard-coded backdoor password. The Motorola MBTS Base Radio Man Machine Interface (MMI), allowing for service technicians to diagnose and configure the device, accepts a hard-coded backdoor password that can…
- CVE-2023-24022CRITICALCVSS 10.0EG 9.82023-01-26
Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are…
- CVE-2023-24147HIGHCVSS 7.5EG 7.52023-02-03
TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a hard code password for the telnet service which is stored in the component /etc/config/product.ini.
- CVE-2023-24149CRITICALCVSS 9.8EG 9.82023-02-03
TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a hard code password for root which is stored in the component /etc/shadow.
- CVE-2023-24155CRITICALCVSS 9.8EG 9.82023-02-03
TOTOLINK T8 V4.1.5cu was discovered to contain a hard code password for the telnet service which is stored in the component /web_cste/cgi-bin/product.ini.
- CVE-2023-24501CRITICALCVSS 9.8EG 9.82023-04-17
Electra Central AC unit – Hardcoded Credentials in unspecified code used by the unit.
- CVE-2023-2504HIGHCVSS 8.4EG 8.42023-05-22
Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials.
- CVE-2023-25187MEDIUMCVSS 6.3EG 6.32023-06-16
An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. Nokia Single RAN commissioning procedures do not change (factory-time installed) default SSH public/private key values that are specific to a network operator. …
- CVE-2023-25823MEDIUMCVSS 5.4EG 5.42023-02-23
Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and …
- CVE-2023-26089CRITICALCVSS 9.8EG 9.82023-05-02
European Chemicals Agency IUCLID 6.x before 6.27.6 allows authentication bypass because a weak hard-coded secret is used for JWT signing. The affected versions are 5.15.0 through 6.27.5.
- CVE-2023-2611CRITICALCVSS 9.8EG 9.82023-06-22
Advantech R-SeeNet versions 2.4.22 is installed with a hidden root-level user that is not available in the users list. This hidden user has a password that cannot be changed by users.
- CVE-2023-26203MEDIUMCVSS 6.7EG 6.72023-05-03
A use of hard-coded credentials vulnerability [CWE-798] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an authenticated attacker to access to …
- CVE-2023-26219HIGHCVSS 7.4EG 7.42023-10-25
The Hawk Console and Hawk Agent components of TIBCO Software Inc.'s TIBCO Hawk, TIBCO Hawk Distribution for TIBCO Silver Fabric, TIBCO Operational Intelligence Hawk RedTail, and TIBCO Runtime Agent contain a vulnerability that theoreticall…
- CVE-2023-2637HIGHCVSS 7.3EG 7.32023-06-13
Rockwell Automation's FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies. Hard-coded cryptographic key may lead to privilege escalation. This vulnerability may allow a local, authenticate…
- CVE-2023-26462HIGHCVSS 8.1EG 9.82023-02-23
ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to …
- CVE-2023-26511CRITICALCVSS 9.8EG 9.82023-03-14
A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Propius MachineSelector 6.6.0 and 6.6.1 allows remote attackers to gain access to the admin panel Propiusadmin.php, which allows taking control of the affected system.
- CVE-2023-26566HIGHCVSS 8.6EG 8.62024-05-14
Sangoma FreePBX 1805 through 2203 on Linux contains hardcoded credentials for the Asterisk REST Interface (ARI), which allows remote attackers to reconfigure Asterisk and make external and internal calls via HTTP and WebSocket requests sen…
- CVE-2023-27169MEDIUMCVSS 6.5EG 6.52023-09-12
Xpand IT Write-back manager v2.3.1 uses a hardcoded salt in license class configuration which leads to the generation of a hardcoded and predictable symmetric encryption keys for license generation and validation.
- CVE-2023-27512HIGHCVSS 7.2EG 7.22023-05-23
Use of hard-coded credentials exists in SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10, and SV-CPT-MC310F versions prior to Ver.8.10, which may allow a remote authenticated attacker to login the affected product with an administ…
- CVE-2023-27573CRITICALCVSS 9.0EG 9.02026-03-11
netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all …
- CVE-2023-27583CRITICALCVSS 9.8EG 9.82023-03-13
PanIndex is a network disk directory index. In Panindex prior to version 3.1.3, a hard-coded JWT key `PanIndex` is used. An attacker can use the hard-coded JWT key to sign JWT token and perform any actions as a user with admin privileges.…
- CVE-2023-27584CRITICALCVSS 9.8EG 9.82024-09-19
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key …
- CVE-2023-27921MEDIUMCVSS 6.5EG 6.52023-05-23
JINS MEME CORE Firmware version 2.2.0 and earlier uses a hard-coded cryptographic key, which may lead to data acquired by a sensor of the affected product being decrypted by a network-adjacent attacker.
- CVE-2023-2809HIGHCVSS 7.8EG 7.82023-10-04
Plaintext credential usage vulnerability in Sage 200 Spain 2023.38.001 version, the exploitation of which could allow a remote attacker to extract SQL database credentials from the DLL application. This vulnerability could be linked to kno…
- CVE-2023-28387MEDIUMCVSS 5.5EG 5.52023-06-30
"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external s…
- CVE-2023-28503CRITICALCVSS 9.8EG 9.82023-03-29
Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from an authentication bypass vulnerability, where a special username with a deterministic password can…
- CVE-2023-28654CRITICALCVSS 9.8EG 9.82023-03-28
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of …
- CVE-2023-28895LOWCVSS 3.5EG 3.52023-12-01
The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB3 unit to gain full control over the PW…
- CVE-2023-28897MEDIUMCVSS 4.0EG 4.02024-01-12
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
- CVE-2023-28937HIGHCVSS 8.8EG 8.82023-06-01
DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servis…
- CVE-2023-29064MEDIUMCVSS 4.1EG 4.12023-11-28
The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.
- CVE-2023-30351HIGHCVSS 7.5EG 7.52023-05-10
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 was discovered to contain a hard-coded default password for root which is stored using weak encryption. This vulnerability allows attackers to connect to the TELNET service (or UA…
- CVE-2023-30352CRITICALCVSS 9.8EG 9.82023-05-10
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 was discovered to contain a hard-coded default password for the RTSP feed.
- CVE-2023-30354CRITICALCVSS 9.8EG 6.82023-05-10
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 does not defend against physical access to U-Boot via the UART: the Wi-Fi password is shown, and the hardcoded boot password can be inserted for console access.
- CVE-2023-30801CRITICALCVSS 9.8EG 9.82023-10-10
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote at…
Map vulnerabilities like CWE-798 to your infrastructure
EchelonGraph correlates every CVE — across CWE-798 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →