CWE-259
AllowedUse of Hard-coded Password
Abstraction: Variant · Status: Draft
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
315 vulnerabilities reference this CWE, most recent first.
CVE-2023-2645 (GCVE-0-2023-2645)
Vulnerability from cvelistv5 – Published: 2023-05-11 07:00 – Updated: 2024-08-02 06:26- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://vuldb.com/?id.228774 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.228774 | signaturepermissions-required |
| https://github.com/wswokao/testrouter/blob/main/R… | exploit |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.854Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.228774"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.228774"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/wswokao/testrouter/blob/main/README.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Web Management Page"
],
"product": "USR-G806",
"vendor": "USR",
"versions": [
{
"status": "affected",
"version": "1.0.41"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "Nikki2023 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, was found in USR USR-G806 1.0.41. Affected is an unknown function of the component Web Management Page. The manipulation of the argument username/password with the input root leads to use of hard-coded password. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. VDB-228774 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in USR USR-G806 1.0.41 gefunden. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Komponente Web Management Page. Durch das Manipulieren des Arguments username/password mit der Eingabe root mit unbekannten Daten kann eine use of hard-coded password-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Als bestm\u00f6gliche Massnahme werden Anpassungen an der Konfiguration empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 10,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T05:41:51.598Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.228774"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.228774"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wswokao/testrouter/blob/main/README.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-11T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-05-11T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-05-11T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-06-07T14:02:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "USR USR-G806 Web Management Page hard-coded password"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-2645",
"datePublished": "2023-05-11T07:00:08.579Z",
"dateReserved": "2023-05-11T05:24:27.237Z",
"dateUpdated": "2024-08-02T06:26:09.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2061 (GCVE-0-2023-2061)
Vulnerability from cvelistv5 – Published: 2023-06-02 04:03 – Updated: 2025-03-05 18:58- CWE-259 - Use of Hard-coded Password
| Vendor | Product | Version | |
|---|---|---|---|
| Mitsubishi Electric Corporation | MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 |
Affected:
all versions
|
|
| Mitsubishi Electric Corporation | MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:19.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2023-004.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/vu/JVNVU92908006"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2061",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:44.832977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:58:23.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MELSEC iQ-R Series EtherNet/IP module RJ71EIP91",
"vendor": "Mitsubishi Electric Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP",
"vendor": "Mitsubishi Electric Corporation",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP."
}
],
"value": "Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-02T04:03:36.665Z",
"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"shortName": "Mitsubishi"
},
"references": [
{
"url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2023-004.pdf"
},
{
"url": "https://jvn.jp/vu/JVNVU92908006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication bypass vulnerability in MELSEC iQ-R Series / iQ-F Series EtherNet/IP Modules",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"assignerShortName": "Mitsubishi",
"cveId": "CVE-2023-2061",
"datePublished": "2023-06-02T04:03:36.665Z",
"dateReserved": "2023-04-14T08:44:04.100Z",
"dateUpdated": "2025-03-05T18:58:23.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1944 (GCVE-0-2023-1944)
Vulnerability from cvelistv5 – Published: 2023-05-24 00:00 – Updated: 2025-01-16 20:37- CWE-259 - Use of Hard-coded Password
| Vendor | Product | Version | |
|---|---|---|---|
| Kubernetes | minikube |
Affected:
unspecified , ≤ 1.29.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:27.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/kubernetes/minikube"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:37:03.202687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T20:37:16.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minikube",
"vendor": "Kubernetes",
"versions": [
{
"lessThanOrEqual": "1.29.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-04-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "This vulnerability enables ssh access to minikube container using a default password."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T00:00:00.000Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"url": "https://github.com/kubernetes/minikube"
}
],
"solutions": [
{
"lang": "en",
"value": "To mitigate these vulnerabilities, upgrade minikube to the latest version and delete any clusters created using an affected version. To delete clusters created using prior versions, run `minikube delete --all`"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "[minikube] ssh server with default password",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2023-1944",
"datePublished": "2023-05-24T00:00:00.000Z",
"dateReserved": "2023-04-07T00:00:00.000Z",
"dateUpdated": "2025-01-16T20:37:16.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0808 (GCVE-0-2023-0808)
Vulnerability from cvelistv5 – Published: 2023-02-13 11:01 – Updated: 2024-08-02 05:24- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://vuldb.com/?id.220769 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.220769 | signaturepermissions-required |
| https://heise.de/-7483376 | exploitmedia-coverage |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:24:34.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.220769"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.220769"
},
{
"tags": [
"exploit",
"media-coverage",
"x_transferred"
],
"url": "https://heise.de/-7483376"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Access Point Setting Handler"
],
"product": "Inverter",
"vendor": "Deye",
"versions": [
{
"status": "affected",
"version": "MW3_15U_5406_1.47"
},
{
"status": "affected",
"version": "MW3_15U_5406_1.471"
}
]
},
{
"modules": [
"Access Point Setting Handler"
],
"product": "Inverter",
"vendor": "Revolt",
"versions": [
{
"status": "affected",
"version": "MW3_15U_5406_1.47"
},
{
"status": "affected",
"version": "MW3_15U_5406_1.471"
}
]
},
{
"modules": [
"Access Point Setting Handler"
],
"product": "Inverter",
"vendor": "Bosswerk",
"versions": [
{
"status": "affected",
"version": "MW3_15U_5406_1.47"
},
{
"status": "affected",
"version": "MW3_15U_5406_1.471"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jan Mahn"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Deye/Revolt/Bosswerk Inverter MW3_15U_5406_1.47/MW3_15U_5406_1.471. It has been rated as problematic. This issue affects some unknown processing of the component Access Point Setting Handler. The manipulation with the input 12345678 leads to use of hard-coded password. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version MW3_16U_5406_1.53 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-220769 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Deye/Revolt/Bosswerk Inverter MW3_15U_5406_1.47/MW3_15U_5406_1.471 ausgemacht. Sie wurde als problematisch eingestuft. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Komponente Access Point Setting Handler. Durch Beeinflussen mit der Eingabe 12345678 mit unbekannten Daten kann eine use of hard-coded password-Schwachstelle ausgenutzt werden. Ein Angriff setzt physischen Zugriff auf dem Zielobjekt voraus. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version MW3_16U_5406_1.53 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.7,
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T21:02:59.353Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.220769"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.220769"
},
{
"tags": [
"exploit",
"media-coverage"
],
"url": "https://heise.de/-7483376"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-02-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-02-13T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-02-13T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-03-10T21:50:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "Deye/Revolt/Bosswerk Inverter Access Point Setting hard-coded password"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-0808",
"datePublished": "2023-02-13T11:01:47.302Z",
"dateReserved": "2023-02-13T10:57:41.389Z",
"dateUpdated": "2024-08-02T05:24:34.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45444 (GCVE-0-2022-45444)
Vulnerability from cvelistv5 – Published: 2023-01-18 00:41 – Updated: 2025-01-16 22:00- CWE-259 - Use of Hard-coded Password
| Vendor | Product | Version | |
|---|---|---|---|
| Sewio | RTLS Studio |
Affected:
2.0.0 , ≤ 2.6.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:57.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:59:19.674728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T22:00:00.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RTLS Studio",
"vendor": "Sewio",
"versions": [
{
"lessThanOrEqual": "2.6.2",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Andrea Palanca of Nozomi Networks"
}
],
"datePublic": "2023-01-12T21:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application\u2019s database. This could allow a remote attacker to login to the database with unrestricted access.\u003c/p\u003e"
}
],
"value": "Sewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application\u2019s database. This could allow a remote attacker to login to the database with unrestricted access.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T00:41:51.151Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2022-45444",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\u003cp\u003eSewio also recommends the following workarounds to reduce the risk of exploitation: \u003c/p\u003e\n\n\u003cul\u003e\u003cli\u003eMinimize network exposure for all control system devices and/or systems, and ensure they are \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01\"\u003enot accessible from the internet\u003c/a\u003e. \u003c/li\u003e\n\t\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolate them from business networks. \u003c/li\u003e\n\t\u003cli\u003eManually change the database password. \u0026nbsp;\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "Sewio also recommends the following workarounds to reduce the risk of exploitation: \n\n\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 . \n\n\t * Locate control system networks and remote devices behind firewalls and isolate them from business networks. \n\n\t * Manually change the database password. \u00a0\n\n\n\n\n\n\n"
}
],
"x_generator": {
"engine": "VINCE 2.0.5",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2022-45444"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-45444",
"datePublished": "2023-01-18T00:41:51.151Z",
"dateReserved": "2022-12-21T18:52:32.358Z",
"dateUpdated": "2025-01-16T22:00:00.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41653 (GCVE-0-2022-41653)
Vulnerability from cvelistv5 – Published: 2022-12-13 21:08 – Updated: 2025-04-16 16:05- CWE-259 - Use of Hard-Coded Password
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41653",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:52:34.591797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:05:02.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SVMPC1 ",
"vendor": "Daikin",
"versions": [
{
"lessThanOrEqual": "2.1.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SVMPC2",
"vendor": "Daikin",
"versions": [
{
"lessThanOrEqual": "1.2.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Chizuru Toyama from TXOne Networks reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to an attacker obtaining user login credentials and control the system."
}
],
"value": "Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to an attacker obtaining user login credentials and control the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-Coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T21:08:36.871Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nDaikin Holdings Singapore Pte Ltd. has released an update that will \nautomatically install if the SVM controller is enabled. No user \noperation is required. \n\n\u003cbr\u003e"
}
],
"value": "Daikin Holdings Singapore Pte Ltd. has released an update that will \nautomatically install if the SVM controller is enabled. No user \noperation is required. \n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-41653",
"datePublished": "2022-12-13T21:08:36.871Z",
"dateReserved": "2022-09-29T14:08:03.135Z",
"dateUpdated": "2025-04-16T16:05:02.144Z",
"requesterUserId": "bc31a57b-b1a5-40e2-9263-67c0ae8a3b8a",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29831 (GCVE-0-2022-29831)
Vulnerability from cvelistv5 – Published: 2022-11-24 23:36 – Updated: 2025-04-25 17:50- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://www.mitsubishielectric.com/en/psirt/vulne… | vendor-advisory |
| https://jvn.jp/vu/JVNVU97244961 | government-resource |
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Mitsubishi Electric Corporation | GX Works3 |
Affected:
from 1.015R to 1.095Z
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
},
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://jvn.jp/vu/JVNVU97244961"
},
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T17:49:38.542762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T17:50:05.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GX Works3",
"vendor": "Mitsubishi Electric Corporation",
"versions": [
{
"status": "affected",
"version": "from 1.015R to 1.095Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Password vulnerability in Mitsubishi Electric Corporation GX Works3 versions from 1.015R to 1.095Z allows a remote unauthenticated attacker to obtain information about the project file for MELSEC safety CPU modules."
}
],
"value": "Use of Hard-coded Password vulnerability in Mitsubishi Electric Corporation GX Works3 versions from 1.015R to 1.095Z allows a remote unauthenticated attacker to obtain information about the project file for MELSEC safety CPU modules."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-29T04:02:40.073Z",
"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"shortName": "Mitsubishi"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
},
{
"tags": [
"government-resource"
],
"url": "https://jvn.jp/vu/JVNVU97244961"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"assignerShortName": "Mitsubishi",
"cveId": "CVE-2022-29831",
"datePublished": "2022-11-24T23:36:18.688Z",
"dateReserved": "2022-04-27T20:47:43.444Z",
"dateUpdated": "2025-04-25T17:50:05.829Z",
"requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29825 (GCVE-0-2022-29825)
Vulnerability from cvelistv5 – Published: 2022-11-24 23:21 – Updated: 2025-11-07 06:49- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://www.mitsubishielectric.com/en/psirt/vulne… | vendor-advisory |
| https://jvn.jp/vu/JVNVU97244961/index.html | government-resource |
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Mitsubishi Electric Corporation | GX Works3 |
Affected:
from 1.000A to 1.090U
|
|
| Mitsubishi Electric Corporation | GT Designer3 Version1 (GOT2000) |
Affected:
from 1.122C to 1.290C
|
|
| Mitsubishi Electric Corporation | MT Works2 |
Affected:
from 1.100E to 1.200J
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
},
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://jvn.jp/vu/JVNVU97244961/index.html"
},
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T17:52:17.273503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T17:52:21.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GX Works3",
"vendor": "Mitsubishi Electric Corporation",
"versions": [
{
"status": "affected",
"version": "from 1.000A to 1.090U"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GT Designer3 Version1 (GOT2000)",
"vendor": "Mitsubishi Electric Corporation",
"versions": [
{
"status": "affected",
"version": "from 1.122C to 1.290C"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MT Works2",
"vendor": "Mitsubishi Electric Corporation",
"versions": [
{
"status": "affected",
"version": "from 1.100E to 1.200J"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, and MT Works2 versions from 1.100E to 1.200J allows an unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally."
}
],
"value": "Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, and MT Works2 versions from 1.100E to 1.200J allows an unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T06:49:29.712Z",
"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"shortName": "Mitsubishi"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
},
{
"tags": [
"government-resource"
],
"url": "https://jvn.jp/vu/JVNVU97244961/index.html"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"assignerShortName": "Mitsubishi",
"cveId": "CVE-2022-29825",
"datePublished": "2022-11-24T23:21:54.776Z",
"dateReserved": "2022-04-27T20:47:43.441Z",
"dateUpdated": "2025-11-07T06:49:29.712Z",
"requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-27172 (GCVE-0-2022-27172)
Vulnerability from cvelistv5 – Published: 2022-05-12 17:01 – Updated: 2025-04-15 19:01- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://www.inhandnetworks.com/upload/attachment/… | x_refsource_CONFIRM |
| https://talosintelligence.com/vulnerability_repor… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| InHand Networks | InRouter302 |
Affected:
V3.5.37
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:39.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1496"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27172",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T18:18:06.187504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T19:01:38.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InRouter302",
"vendor": "InHand Networks",
"versions": [
{
"status": "affected",
"version": "V3.5.37"
}
]
}
],
"datePublic": "2022-05-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259: Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-12T17:01:55.000Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1496"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "talos-cna@cisco.com",
"DATE_PUBLIC": "2022-05-10",
"ID": "CVE-2022-27172",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "InRouter302",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "V3.5.37"
}
]
}
}
]
},
"vendor_name": "InHand Networks"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability."
}
]
},
"impact": {
"cvss": {
"baseScore": 4.3,
"baseSeverity": "Medium",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-259: Use of Hard-coded Password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf",
"refsource": "CONFIRM",
"url": "https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf"
},
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1496",
"refsource": "MISC",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1496"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2022-27172",
"datePublished": "2022-05-12T17:01:55.794Z",
"dateReserved": "2022-03-17T00:00:00.000Z",
"dateUpdated": "2025-04-15T19:01:38.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26388 (GCVE-0-2022-26388)
Vulnerability from cvelistv5 – Published: 2025-02-07 17:06 – Updated: 2025-02-07 18:50- CWE-259 - Use of Hard-Coded Password
| Vendor | Product | Version | |
|---|---|---|---|
| Welch Allyn | ELI 380 Resting Electrocardiograph |
Affected:
0 , ≤ 2.6.0
(custom)
|
|
| Welch Allyn | ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph |
Affected:
0 , ≤ 2.3.1
(custom)
|
|
| Welch Allyn | ELI 250c/BUR 250c Resting Electrocardiograph |
Affected:
0 , ≤ 2.1.2
(custom)
|
|
| Welch Allyn | ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph |
Affected:
0 , ≤ 2.2.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-26388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T18:50:50.198188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T18:50:58.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ELI 380 Resting Electrocardiograph",
"vendor": "Welch Allyn",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph",
"vendor": "Welch Allyn",
"versions": [
{
"lessThanOrEqual": "2.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ELI 250c/BUR 250c Resting Electrocardiograph",
"vendor": "Welch Allyn",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph",
"vendor": "Welch Allyn",
"versions": [
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "An anonymous user reported these vulnerabilities to Hillrom."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A use of hard-coded password vulnerability may allow authentication abuse.\u003cp\u003eThis issue affects ELI 380 Resting Electrocardiograph: \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions 2.6.0 and prior\u003c/span\u003e; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions 2.3.1 and prior\u003c/span\u003e; ELI 250c/BUR 250c Resting Electrocardiograph:\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions 2.1.2 and prior\u003c/span\u003e; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions 2.2.0 and prior\u003c/span\u003e.\u003c/p\u003e"
}
],
"value": "A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: \n\nVersions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\n\nVersions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph:\n\nVersions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \n\nVersions 2.2.0 and prior."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-Coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T17:06:30.134Z",
"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa",
"shortName": "Baxter"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01"
},
{
"url": "https://hillrom.com/en/responsible-disclosures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHillrom has released software updates for all impacted devices to \naddress these vulnerabilities. New product versions that mitigate these \nvulnerabilities are available as follows:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWelch Allyn ELI 380 Resting Electrocardiograph: available Q4 2023\u003c/li\u003e\n\u003cli\u003eWelch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: available May 2022\u003c/li\u003e\n\u003cli\u003eWelch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: available Q4 2023\u003c/li\u003e\n\u003c/ul\u003e\n\n\nHillrom recommends users upgrade to the latest product versions. \nInformation on how to update these products can be found on the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://hillrom.com/en/responsible-disclosures/\"\u003eHillrom disclosure page\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Hillrom has released software updates for all impacted devices to \naddress these vulnerabilities. New product versions that mitigate these \nvulnerabilities are available as follows:\n\n\n\n * Welch Allyn ELI 380 Resting Electrocardiograph: available Q4 2023\n\n * Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: available May 2022\n\n * Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: available Q4 2023\n\n\n\n\n\n\nHillrom recommends users upgrade to the latest product versions. \nInformation on how to update these products can be found on the Hillrom disclosure page https://hillrom.com/en/responsible-disclosures/ ."
}
],
"source": {
"advisory": "ICSMA-22-167-01",
"discovery": "EXTERNAL"
},
"title": "Use of Hard-Coded Password Vulnerability in ELI Electrocardiograph Devices",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHillrom recommends the following workarounds to help reduce risk:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eApply proper network and physical security controls.\u003c/li\u003e\n\u003cli\u003eEnsure a unique encryption key is configured for ELI Link and Cardiograph.\u003c/li\u003e\n\u003cli\u003eWhere possible, use a firewall to prevent communication on Port 21 \nFTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet \nservice.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "Hillrom recommends the following workarounds to help reduce risk:\n\n\n\n * Apply proper network and physical security controls.\n\n * Ensure a unique encryption key is configured for ELI Link and Cardiograph.\n\n * Where possible, use a firewall to prevent communication on Port 21 \nFTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet \nservice."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa",
"assignerShortName": "Baxter",
"cveId": "CVE-2022-26388",
"datePublished": "2025-02-07T17:06:30.134Z",
"dateReserved": "2022-03-03T22:04:24.533Z",
"dateUpdated": "2025-02-07T18:50:58.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Mitigation
For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Mitigation
Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved.
- Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
For front-end to back-end connections: Three solutions are possible, although none are complete.
No CAPEC attack patterns related to this CWE.