CWE-798— Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.— MITRE CWE catalog
1,625 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-798page 25 of 33
- CVE-2024-29963LOWCVSS 1.9EG 8.62024-04-19
Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. Note: Brocade SANnav doesn't have access to remote Docker registries.
- CVE-2024-29966HIGHCVSS 7.5EG 7.52024-04-19
Brocade SANnav OVA before v2.3.1 and v2.3.0a contain hard-coded credentials in the documentation that appear as the appliance's root password. The vulnerability could allow an unauthenticated attacker full access to the Brocade SANnav appl…
- CVE-2024-31151HIGHCVSS 8.1EG 8.12024-10-30
A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial ti…
- CVE-2024-3130MEDIUMCVSS 5.7EG 5.72024-04-01
Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app
- CVE-2024-31798MEDIUMCVSS 6.8EG 6.42024-08-15
Identical Hardcoded Root Password for All Devices in GNCC's GC2 Indoor Security Camera 1080P allows an attacker with physical access to retrieve the root password for all similar devices
- CVE-2024-31810CRITICALCVSS 9.8EG 9.82024-05-14
TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a hardcoded password for root at /etc/shadow.sample.
- CVE-2024-31873HIGHCVSS 7.5EG 7.52024-04-10
IBM Security Verify Access Appliance 10.0.0 through 10.0.7 contains hard-coded credentials which it uses for its own inbound authentication that could be obtained by a malicious actor. IBM X-Force ID: 287317.
- CVE-2024-32053CRITICALCVSS 9.8EG 9.82024-05-15
Hard-coded credentials are used by the CyberPower PowerPanel platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel b…
- CVE-2024-3272CRITICALCVSS 9.8EG 9.8⚠ KEV2024-04-04
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_s…
- CVE-2024-32740CRITICALCVSS 9.8EG 9.82024-05-14
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains undocumented users and credentials. An attacker could misuse the credentials to compromise the device locally or over the network.
- CVE-2024-32988HIGHCVSS 7.5EG 7.52024-05-22
'OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App for iOS versions 2.1.7 to 2.6.14 use a hard-coded secret key for JWT. Secret key for JWT may be retrieved if the application binary is reverse-engineered.
- CVE-2024-33329HIGHCVSS 7.5EG 7.52024-06-26
A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information.
- CVE-2024-33895MEDIUMCVSS 6.6EG 6.62024-08-02
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 use a unique key to encrypt the configuration parameters. This is fixed in version 21.2s10 and 22.1s3, the key is now unique per device.
- CVE-2024-3408CRITICALCVSS 9.8EG 9.82024-06-06
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attacker…
- CVE-2024-34219HIGHCVSS 8.6EG 8.62024-05-14
TOTOLINK CP450 V4.1.0cu.747_B20191224 was discovered to contain a vulnerability in the SetTelnetCfg function, which allows attackers to log in through telnet.
- CVE-2024-35118MEDIUMCVSS 4.6EG 4.62024-08-29
IBM MaaS360 for Android 6.31 through 8.60 is using hard coded credentials that can be obtained by a user with physical access to the device.
- CVE-2024-35244CRITICALCVSS 9.1EG 9.12024-11-26
There are several hidden accounts. Some of them are intended for maintenance engineers, and with the knowledge of their passwords (e.g., by examining the coredump), these accounts can be used to re-configure the device. As for the details …
- CVE-2024-35338CRITICALCVSS 9.8EG 9.82024-07-16
Tenda i29V1.0 V1.0.0.5 was discovered to contain a hardcoded password for root.
- CVE-2024-35396CRITICALCVSS 9.8EG 9.82024-05-24
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password for telnet in /web_cste/cgi-bin/product.ini, which allows attackers to log in as root.
- CVE-2024-3544HIGHCVSS 7.5EG 7.52024-05-02
Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing Load…
- CVE-2024-36049MEDIUMCVSS 6.5EG 6.52024-05-24
Aptos Wisal payroll accounting before 7.1.6 uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. This allows attackers in a machin…
- CVE-2024-36248CRITICALCVSS 9.1EG 9.12024-11-26
API keys for some cloud services are hardcoded in the "main" binary. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
- CVE-2024-36264CRITICALCVSS 9.8EG 6.52024-06-12
** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submari…
- CVE-2024-36480CRITICALCVSS 9.8EG 9.82024-06-19
Use of hard-coded credentials issue exists in Ricoh Streamline NX PC Client ver.3.7.2 and earlier. If this vulnerability is exploited, an attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, uninte…
- CVE-2024-36496HIGHCVSS 7.5EG 7.52024-06-24
The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 alg…
- CVE-2024-36556CRITICALCVSS 9.1EG 9.12025-02-06
Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability.
- CVE-2024-36782CRITICALCVSS 9.8EG 9.82024-06-03
TOTOLINK CP300 V2.0.4-B20201102 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root.
- CVE-2024-3699CRITICALCVSS 9.8EG 9.82024-06-10
Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all drEryk Gabinet installations.This issue affects drEryk Gabinet software versions…
- CVE-2024-3700CRITICALCVSS 9.8EG 9.82024-06-10
Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations. This issue affects Estomed Sp. z o.o. Simpl…
- CVE-2024-37630HIGHCVSS 8.8EG 8.82024-06-13
D-Link DIR-605L v2.13B01 was discovered to contain a hardcoded password vulnerability in /etc/passwd, which allows attackers to log in as root.
- CVE-2024-38281CRITICALCVSS 9.8EG 9.82024-06-13
An attacker can access the maintenance console using hard coded credentials for a hidden wireless network on the device.
- CVE-2024-38466CRITICALCVSS 9.8EG 9.82024-06-16
Shenzhen Guoxin Synthesis image system before 8.3.0 has a 123456Qw default password.
- CVE-2024-38480MEDIUMCVSS 4.0EG 4.02024-07-01
"Piccoma" App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerab…
- CVE-2024-38648MEDIUMCVSS 5.7EG 9.02025-07-12
A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.
- CVE-2024-39208CRITICALCVSS 9.8EG 9.82024-06-27
luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials.
- CVE-2024-39374CRITICALCVSS 9.8EG 9.82024-06-27
TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials.
- CVE-2024-39582LOWCVSS 2.3EG 2.32024-09-10
Dell PowerScale InsightIQ, version 5.0, contain a Use of hard coded Credentials vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
- CVE-2024-39585HIGHCVSS 7.9EG 7.92024-09-06
Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 and 10.5.6.x, contain(s) an Use of Hard-coded Password vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading …
- CVE-2024-39838HIGHCVSS 8.8EG 8.82024-08-05
ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device.
- CVE-2024-40410MEDIUMCVSS 4.8EG 4.82024-11-13
Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain a hardcoded cryptographic key used for encryption.
- CVE-2024-41161HIGHCVSS 7.5EG 7.52024-08-08
Use of hard-coded credentials vulnerability affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication using hard-…
- CVE-2024-41610CRITICALCVSS 9.8EG 9.82024-07-30
D-Link DIR-820LW REVB FIRMWARE PATCH 2.03.B01_TC contains hardcoded credentials in the Telnet service, enabling attackers to log in remotely to the Telnet service and perform arbitrary commands.
- CVE-2024-41611CRITICALCVSS 9.8EG 9.82024-07-30
In D-Link DIR-860L REVA FIRMWARE PATCH 1.10..B04, the Telnet service contains hardcoded credentials, enabling attackers to log in remotely to the Telnet service and perform arbitrary commands.
- CVE-2024-41616CRITICALCVSS 9.8EG 8.82024-08-06
D-Link DIR-300 REVA FIRMWARE v1.06B05_WW contains hardcoded credentials in the Telnet service.
- CVE-2024-41689MEDIUMCVSS 4.6EG 4.62024-07-26
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and r…
- CVE-2024-41777HIGHCVSS 7.5EG 7.52024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of i…
- CVE-2024-41794CRITICALCVSS 10.0EG 10.02025-04-08
A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This could allow unauthenticated …
- CVE-2024-42450CRITICALCVSS 10.0EG 10.02024-11-19
The Versa Director uses PostgreSQL (Postgres) to store operational and configuration data. It is also needed for High Availability function of the Versa Director. The default configuration has a common password across all instances of Vers…
- CVE-2024-42637CRITICALCVSS 9.8EG 9.82024-08-16
H3C R3010 v100R002L02 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
- CVE-2024-42638CRITICALCVSS 9.8EG 9.82024-08-16
H3C Magic B1ST v100R012 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
Map vulnerabilities like CWE-798 to your infrastructure
EchelonGraph correlates every CVE — across CWE-798 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →