CWE-798— Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.— MITRE CWE catalog
1,625 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-798page 26 of 33
- CVE-2024-43423CRITICALCVSS 9.8EG 9.82024-09-25
The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed.
- CVE-2024-45165MEDIUMCVSS 5.3EG 5.32024-08-22
An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is …
- CVE-2024-45275CRITICALCVSS 9.8EG 9.82024-10-15
The devices contain two hard coded user accounts with hardcoded passwords that allow an unauthenticated remote attacker for full control of the affected devices.
- CVE-2024-45319MEDIUMCVSS 6.3EG 6.32024-12-05
A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions allows a remote authenticated attacker can circumvent the certificate requirement during authentication.
- CVE-2024-45656CRITICALCVSS 9.8EG 9.82024-10-29
IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to ga…
- CVE-2024-45698CRITICALCVSS 9.8EG 8.82024-09-16
Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can the…
- CVE-2024-45832MEDIUMCVSS 4.3EG 4.32025-01-17
Hard-coded credentials were included as part of the application binary. These credentials served as part of the application authentication flow and communication with the mobile application. An attacker could access unauthorized informa…
- CVE-2024-45861HIGHCVSS 7.5EG 7.52024-09-19
Kastle Systems firmware prior to May 1, 2024, contained a hard-coded credential, which if accessed may allow an attacker to access sensitive information.
- CVE-2024-46429HIGHCVSS 8.8EG 8.02025-02-10
A hardcoded credentials vulnerability in Tenda W18E V16.01.0.8(1625) allows unauthenticated remote attackers to access the web management portal using a default guest account with administrative privileges.
- CVE-2024-46433HIGHCVSS 8.8EG 8.02025-02-10
A default credentials vulnerability in Tenda W18E V16.01.0.8(1625) allows unauthenticated remote attackers to access the web management portal using the default rzadmin account with administrative privileges.
- CVE-2024-46436HIGHCVSS 8.3EG 8.02025-02-10
Hardcoded credentials in Tenda W18E V16.01.0.8(1625) allows unauthenticated remote attackers to gain root access to the device over the telnet service.
- CVE-2024-46505CRITICALCVSS 9.1EG 9.12025-01-09
Infoblox BloxOne v2.4 was discovered to contain a business logic flaw due to thick client vulnerabilities.
- CVE-2024-46508HIGHCVSS 7.5EG 7.52026-05-08
yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).
- CVE-2024-4708CRITICALCVSS 9.8EG 9.82024-07-02
mySCADA myPRO uses a hard-coded password which could allow an attacker to remotely execute code on the affected device.
- CVE-2024-4740MEDIUMCVSS 5.3EG 5.32024-10-18
MXsecurity software versions v1.1.0 and prior are vulnerable because of the use of hard-coded credentials. This vulnerability could allow an attacker to tamper with sensitive data.
- CVE-2024-48007MEDIUMCVSS 5.3EG 5.32024-12-13
Dell RecoverPoint for Virtual Machines 6.0.x contains use of hard-coded credentials vulnerability. A Remote unauthenticated attacker could potentially exploit this vulnerability by gaining access to the source code, easily retrieving these…
- CVE-2024-48126CRITICALCVSS 9.8EG 9.82025-01-15
HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access.
- CVE-2024-48192HIGHCVSS 8.0EG 8.02024-10-17
Tenda G3 v15.01.0.5(2848_755)_EN was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root
- CVE-2024-4844HIGHCVSS 7.5EG 7.52024-05-16
Hardcoded credentials vulnerability in Trellix ePolicy Orchestrator (ePO) on Premise prior to 5.10 Service Pack 1 Update 2 allows an attacker with admin privileges on the ePO server to read the contents of the orion.keystore file, allowing…
- CVE-2024-48539CRITICALCVSS 9.8EG 9.82024-10-24
Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism.
- CVE-2024-48842HIGHCVSS 7.0EG 7.02025-09-17
Use of Hard-coded Credentials vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5 and newer versions
- CVE-2024-48971CRITICALCVSS 9.3EG 9.32024-11-14
The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the password off the ventilator and use it to gain unauthorized access to the device, …
- CVE-2024-49060HIGHCVSS 8.8EG 8.82024-11-15
Azure Stack HCI Elevation of Privilege Vulnerability
- CVE-2024-49805CRITICALCVSS 9.4EG 9.42024-11-29
IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encr…
- CVE-2024-49806CRITICALCVSS 9.4EG 9.42024-11-29
IBM Security Verify Access Appliance 10.0.0 through 10.0.8 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encr…
- CVE-2024-4996CRITICALCVSS 9.8EG 9.82024-12-18
Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Wapro ERP installations…
- CVE-2024-50377MEDIUMCVSS 6.5EG 6.52024-11-26
A CWE-798 "Use of Hard-coded Credentials" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability is associated to th…
- CVE-2024-50564LOWCVSS 3.3EG 3.32025-01-14
A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named p…
- CVE-2024-50593HIGHCVSS 7.8EG 7.82024-11-08
An attacker with local access to the medical office computer can access restricted functions of the Elefant Service tool by using a hard-coded "Hotline" password in the Elefant service binary, which is shipped with the software.
- CVE-2024-50688CRITICALCVSS 9.8EG 9.82025-02-26
SunGrow iSolarCloud Android application V2.1.6.20241017 and prior contains hardcoded credentials. The application (regardless of the user account) and the cloud uses the same MQTT credentials for exchanging the device telemetry.
- CVE-2024-50690MEDIUMCVSS 6.5EG 6.52025-01-24
SunGrow WiNet-SV200.001.00.P027 and earlier versions contains a hardcoded password that can be used to decrypt all firmware updates.
- CVE-2024-50692MEDIUMCVSS 5.4EG 5.42025-01-24
SunGrow WiNet-SV200.001.00.P027 and earlier versions contains hardcoded MQTT credentials that allow an attacker to send arbitrary commands to an arbitrary inverter. It is also possible to impersonate the broker, because TLS is not used to …
- CVE-2024-51431CRITICALCVSS 9.8EG 9.82024-11-01
LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable.
- CVE-2024-51547CRITICALCVSS 9.8EG 9.82025-02-06
Use of Hard-coded Credentials vulnerability in ABB ASPECT-Enterprise, ABB NEXUS Series, ABB MATRIX Series.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
- CVE-2024-51551CRITICALCVSS 10.0EG 10.02024-12-05
Default Credentail vulnerabilities in ASPECT on Linux allows access to the product using publicly available default credentials. Affected products: ABB ASPECT - Enterprise v3.07.02; NEXUS Series v3.07.02; MATRIX Series v3.07.02
- CVE-2024-52295CRITICALCVSS 9.8EG 9.82024-11-13
DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has …
- CVE-2024-52788HIGHCVSS 8.0EG 8.02024-11-19
Tenda W9 v1.0.0.7(4456) was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.
- CVE-2024-52789HIGHCVSS 8.0EG 8.02024-11-19
Tenda W30E v2.0 V16.01.0.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.
- CVE-2024-52902HIGHCVSS 8.8EG 8.82025-02-19
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system.
- CVE-2024-53356CRITICALCVSS 9.8EG 9.82025-01-31
Weak JWT Secret vulnerabilitiy in EasyVirt DCScope <= 8.6.0 and CO2Scope <= 1.3.0 allows remote attackers to generate JWT for privilege escalation. The HMAC secret used for generating tokens is hardcoded as "somerandomaccesstoken". A weak …
- CVE-2024-53357HIGHCVSS 7.5EG 7.52025-01-31
Multiple SQL injection vulnerabilities in EasyVirt DCScope <= 8.6.0 and CO2Scope <= 1.3.0 allows remote authenticated attackers, with low privileges, to (1) add an admin user via the /api/user/addalias route; (2) modifiy a user via the /ap…
- CVE-2024-53484HIGHCVSS 8.8EG 9.82024-12-02
Ever Traduora 0.20.0 and below is vulnerable to Privilege Escalation due to the use of a hard-coded JWT signing key.
- CVE-2024-53614MEDIUMCVSS 6.5EG 6.52024-12-04
A hardcoded decryption key in Thinkware Cloud APK v4.3.46 allows attackers to access sensitive data and execute arbitrary commands with elevated privileges.
- CVE-2024-5460HIGHCVSS 8.1EG 8.12024-06-26
A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Brocade Fabric OS versions before v9.0.0 could allow an authenticated, remote attacker to read data from an affected device via SNM…
- CVE-2024-5471HIGHCVSS 8.8EG 8.82024-07-17
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.
- CVE-2024-54749HIGHCVSS 7.5EG 7.52024-12-06
Ubiquiti U7-Pro 7.0.35 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: this is disputed by the Supplier because the observation only established that a password i…
- CVE-2024-54750CRITICALCVSS 9.8EG 9.82024-12-06
Ubiquiti U6-LR 6.6.65 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: In Ubiquiti's view there is no vulnerability as the Hardcoded Password should be after setup…
- CVE-2024-5514CRITICALCVSS 9.8EG 9.82024-05-30
MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access contro…
- CVE-2024-55557CRITICALCVSS 9.8EG 9.82024-12-16
ui/pref/ProxyPrefView.java in weasis-core in Weasis 4.5.1 has a hardcoded key for symmetric encryption of proxy credentials.
- CVE-2024-55927HIGHCVSS 7.6EG 6.42025-01-23
A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions.
Map vulnerabilities like CWE-798 to your infrastructure
EchelonGraph correlates every CVE — across CWE-798 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →