CWE-798— Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.— MITRE CWE catalog
1,625 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-798page 22 of 33
- CVE-2023-38535MEDIUMCVSS 4.7EG 4.72024-03-13
Use of Hard-coded Cryptographic Key vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys.
- CVE-2023-38995CRITICALCVSS 9.8EG 9.82024-02-07
An issue in SCHUHFRIED v.8.22.00 allows remote attacker to obtain the database password via crafted curl command.
- CVE-2023-39169CRITICALCVSS 9.8EG 9.82023-12-07
The affected devices use publicly available default credentials with administrative privileges.
- CVE-2023-39420CRITICALCVSS 9.9EG 9.92023-09-07
The RDPCore.dll component as used in the IRM Next Generation booking engine, allows a remote user to connect to customers with an "admin" account and a corresponding password computed daily by a routine inside the DLL file. Once reverse-en…
- CVE-2023-39421HIGHCVSS 7.7EG 7.72023-09-07
The RDPWin.dll component as used in the IRM Next Generation booking engine includes a set of hardcoded API keys for third-party services such as Twilio and Vonage. These keys allow unrestricted interaction with these services.
- CVE-2023-39422MEDIUMCVSS 6.5EG 6.52023-09-07
The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mec…
- CVE-2023-39458MEDIUMCVSS 5.3EG 5.32024-05-03
Triangle MicroWorks SCADA Data Gateway Use of Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Triangle MicroWorks SCADA …
- CVE-2023-39482MEDIUMCVSS 6.5EG 4.92024-05-03
Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Softing Secure Integration Server…
- CVE-2023-39808CRITICALCVSS 9.8EG 9.82023-08-21
N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a hardcoded root password that allows attackers to login with root privileges via the SSH service. The cleartext password corresponding to the $1$4Tmm01jl$7HRvcW.bz7uGmX9hiQWv…
- CVE-2023-39982HIGHCVSS 7.5EG 7.52023-09-02
A vulnerability has been identified in MXsecurity versions prior to v1.0.1. The vulnerability may put the confidentiality and integrity of SSH communications at risk on the affected device. This vulnerability is attributed to a hard-coded …
- CVE-2023-40146MEDIUMCVSS 6.8EG 6.82024-04-17
A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can a…
- CVE-2023-40236MEDIUMCVSS 5.3EG 5.32023-12-25
In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.
- CVE-2023-40300CRITICALCVSS 9.8EG 9.82023-12-07
NETSCOUT nGeniusPULSE 3.8 has a Hardcoded Cryptographic Key.
- CVE-2023-40463HIGHCVSS 8.1EG 8.12023-12-04
When configured in debugging mode by an authenticated user with administrative privileges, ALEOS 4.16 and earlier store the SHA512 hash of the common root password for that version in a directory accessible to a user wit…
- CVE-2023-40464HIGHCVSS 8.1EG 8.12023-12-04
Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager clien…
- CVE-2023-40717MEDIUMCVSS 5.3EG 5.32023-09-13
A use of hard-coded credentials vulnerability [CWE-798] in FortiTester 2.3.0 through 7.2.3 may allow an attacker who managed to get a shell on the device to access the database via shell commands.
- CVE-2023-40719MEDIUMCVSS 4.1EG 4.12023-11-14
A use of hard-coded credentials vulnerability in Fortinet FortiAnalyzer and FortiManager 7.0.0 - 7.0.8, 7.2.0 - 7.2.3 and 7.4.0 allows an attacker to access Fortinet private testing data via the use of static credentials.
- CVE-2023-41030CRITICALCVSS 9.8EG 6.32023-09-18
Hard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the 'user' user.
- CVE-2023-41137CRITICALCVSS 9.8EG 8.02023-11-09
Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server.
- CVE-2023-41372HIGHCVSS 7.8EG 7.82023-10-25
The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - controlled malicious server.This is possible b…
- CVE-2023-41508CRITICALCVSS 9.8EG 9.82023-09-05
A hard coded password in Super Store Finder v3.6 allows attackers to access the administration panel.
- CVE-2023-41595HIGHCVSS 7.5EG 7.52023-09-18
An issue in xui-xray v1.8.3 allows attackers to obtain sensitive information via default password.
- CVE-2023-41610HIGHCVSS 8.8EG 8.82024-09-18
Victure PC420 1.1.39 was discovered to contain a hardcoded root password which is stored in plaintext.
- CVE-2023-41611MEDIUMCVSS 6.5EG 6.52024-09-18
Victure PC420 1.1.39 was discovered to use a weak and partially hardcoded key to encrypt data.
- CVE-2023-41612HIGHCVSS 8.8EG 8.82024-09-18
Victure PC420 1.1.39 was discovered to use a weak encryption key for the file enabled_telnet.dat on the Micro SD card.
- CVE-2023-41713HIGHCVSS 7.5EG 7.52023-10-17
SonicOS Use of Hard-coded Password vulnerability in the 'dynHandleBuyToolbar' demo function.
- CVE-2023-41878CRITICALCVSS 9.8EG 4.62023-09-27
MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by def…
- CVE-2023-41919CRITICALCVSS 9.8EG 9.82024-07-02
Hardcoded credentials are discovered within the application's source code, creating a potential security risk for unauthorized access.
- CVE-2023-4204CRITICALCVSS 9.8EG 5.42023-08-16
NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected by a hardcoded credential vulnerabilitywhich poses a potential risk to the security and integrity of the affected device. This vulnerability is attributed to the presenc…
- CVE-2023-42328HIGHCVSS 8.8EG 8.82023-09-18
An issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie.
- CVE-2023-42336CRITICALCVSS 9.8EG 9.82023-09-16
An issue in NETIS SYSTEMS WF2409Ev4 v.1.0.1.705 allows a remote attacker to execute arbitrary code and obtain sensitive information via the password parameter in the /etc/shadow.sample component.
- CVE-2023-42492CRITICALCVSS 9.8EG 7.12023-10-25
EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key
- CVE-2023-43583MEDIUMCVSS 4.9EG 4.92023-12-13
Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.
- CVE-2023-43637HIGHCVSS 7.8EG 7.82023-09-21
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey…
- CVE-2023-43870CRITICALCVSS 9.8EG 8.12023-12-19
When installing the Net2 software a root certificate is installed into the trusted store. A potential hacker could access the installer batch file or reverse engineer the source code to gain access to the root certificate password. Using t…
- CVE-2023-4419HIGHCVSS 8.8EG 9.82023-08-24
The LMS5xx uses hard-coded credentials, which potentially allow low-skilled unauthorized remote attackers to reconfigure settings and /or disrupt the functionality of the device.
- CVE-2023-44296MEDIUMCVSS 5.5EG 8.42023-11-16
Dell ELab-Navigator, version 3.1.9 contains a hard-coded credential vulnerability. A local attacker could potentially exploit this vulnerability, leading to unauthorized access to sensitive data. Successful exploitation may result in the …
- CVE-2023-44411CRITICALCVSS 9.8EG 9.82024-05-03
D-Link D-View InstallApplication Use of Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not requi…
- CVE-2023-45194MEDIUMCVSS 4.3EG 4.32023-10-11
Use of default credentials vulnerability in MR-GM2 firmware Ver. 3.00.03 and earlier, and MR-GM3 (-D/-K/-S/-DK/-DKS/-M/-W) firmware Ver. 1.03.45 and earlier allows a network-adjacent unauthenticated attacker to intercept wireless LAN commu…
- CVE-2023-45226HIGHCVSS 7.4EG 7.42023-10-10
The BIG-IP SPK TMM (Traffic Management Module) f5-debug-sidecar and f5-debug-sshd containers contains hardcoded credentials that may allow an attacker with the ability to intercept traffic to impersonate the SPK Secure Shell (SSH) server …
- CVE-2023-4539HIGHCVSS 7.5EG 7.52024-02-15
Use of a hard-coded password for a special database account created during Comarch ERP XL installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Comarch ERP XL installatio…
- CVE-2023-45499CRITICALCVSS 9.8EG 9.82023-10-27
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.
- CVE-2023-46102HIGHCVSS 8.8EG 8.82023-10-25
The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of MQTT to implement the remote management …
- CVE-2023-46685CRITICALCVSS 9.8EG 9.82024-07-08
A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command execution.
- CVE-2023-46706CRITICALCVSS 9.1EG 9.12024-02-01
Multiple MachineSense devices have credentials unable to be changed by the user or administrator.
- CVE-2023-46711MEDIUMCVSS 4.6EG 4.62023-12-26
VR-S1000 firmware Ver. 2.37 and earlier uses a hard-coded cryptographic key which may allow an attacker to analyze the password of a specific product user.
- CVE-2023-46918MEDIUMCVSS 4.6EG 4.62023-12-27
Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true. This could be leveraged by an attacker with physical access …
- CVE-2023-46919MEDIUMCVSS 6.3EG 6.32023-12-27
Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K (AES) encryption key. An attacker with physical access to the appl…
- CVE-2023-46943CRITICALCVSS 9.1EG 9.12024-01-13
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to…
- CVE-2023-47213CRITICALCVSS 9.8EG 9.82023-11-16
First Corporation's DVRs use a hard-coded password, which may allow a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EAB…
Map vulnerabilities like CWE-798 to your infrastructure
EchelonGraph correlates every CVE — across CWE-798 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →