CWE-259
AllowedUse of Hard-coded Password
Abstraction: Variant · Status: Draft
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
315 vulnerabilities reference this CWE, most recent first.
GHSA-HXH3-588W-HVMJ
Vulnerability from github – Published: 2023-01-01 09:30 – Updated: 2023-01-09 18:30A vulnerability, which was classified as critical, has been found in taoeffect Empress. Affected by this issue is some unknown functionality. The manipulation leads to use of hard-coded password. The name of the patch is 557e177d8a309d6f0f26de46efb38d43e000852d. It is recommended to apply a patch to fix this issue. VDB-217154 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2014-125030"
],
"database_specific": {
"cwe_ids": [
"CWE-259",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-01T09:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability, which was classified as critical, has been found in taoeffect Empress. Affected by this issue is some unknown functionality. The manipulation leads to use of hard-coded password. The name of the patch is 557e177d8a309d6f0f26de46efb38d43e000852d. It is recommended to apply a patch to fix this issue. VDB-217154 is the identifier assigned to this vulnerability.",
"id": "GHSA-hxh3-588w-hvmj",
"modified": "2023-01-09T18:30:32Z",
"published": "2023-01-01T09:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125030"
},
{
"type": "WEB",
"url": "https://github.com/taoeffect/empress/pull/61"
},
{
"type": "WEB",
"url": "https://github.com/taoeffect/empress/commit/557e177d8a309d6f0f26de46efb38d43e000852d"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217154"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217154"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2J9-PQ33-WJ97
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:31Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application’s database. This could allow a remote attacker to login to the database with unrestricted access.
{
"affected": [],
"aliases": [
"CVE-2022-45444"
],
"database_specific": {
"cwe_ids": [
"CWE-259",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-18T01:15:00Z",
"severity": "CRITICAL"
},
"details": "Sewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application\u2019s database. This could allow a remote attacker to login to the database with unrestricted access.",
"id": "GHSA-j2j9-pq33-wj97",
"modified": "2024-04-04T05:31:33Z",
"published": "2023-07-06T19:24:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45444"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J37R-FJ8F-2G89
Vulnerability from github – Published: 2024-06-10 12:30 – Updated: 2025-10-03 09:30Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all drEryk Gabinet installations.This issue affects drEryk Gabinet software versions from 7.0.0.0 through 9.17.0.0.
{
"affected": [],
"aliases": [
"CVE-2024-3699"
],
"database_specific": {
"cwe_ids": [
"CWE-259",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-10T12:15:10Z",
"severity": "CRITICAL"
},
"details": "Use of hard-coded password to the patients\u0027 database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all\u00a0drEryk Gabinet installations.This issue affects drEryk Gabinet software versions from 7.0.0.0 through 9.17.0.0.",
"id": "GHSA-j37r-fj8f-2g89",
"modified": "2025-10-03T09:30:18Z",
"published": "2024-06-10T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3699"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1228"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/06/CVE-2024-1228"
},
{
"type": "WEB",
"url": "https://dreryk.pl/produkty/gabinet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red",
"type": "CVSS_V4"
}
]
}
GHSA-J998-C4RH-83VQ
Vulnerability from github – Published: 2023-02-13 12:30 – Updated: 2023-02-23 06:30A vulnerability was found in Deye/Revolt/Bosswerk Inverter MW3_15U_5406_1.47/MW3_15U_5406_1.471. It has been rated as problematic. This issue affects some unknown processing of the component Access Point Setting Handler. The manipulation with the input 12345678 leads to use of hard-coded password. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. Upgrading to version MW3_16U_5406_1.53 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-220769 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-0808"
],
"database_specific": {
"cwe_ids": [
"CWE-259",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-13T12:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Deye/Revolt/Bosswerk Inverter MW3_15U_5406_1.47/MW3_15U_5406_1.471. It has been rated as problematic. This issue affects some unknown processing of the component Access Point Setting Handler. The manipulation with the input 12345678 leads to use of hard-coded password. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. Upgrading to version MW3_16U_5406_1.53 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-220769 was assigned to this vulnerability.",
"id": "GHSA-j998-c4rh-83vq",
"modified": "2023-02-23T06:30:17Z",
"published": "2023-02-13T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0808"
},
{
"type": "WEB",
"url": "https://heise.de/-7483376"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.220769"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.220769"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JF35-JG3H-PWMH
Vulnerability from github – Published: 2026-04-20 00:30 – Updated: 2026-04-20 00:30A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard-coded credentials. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-6578"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-19T22:16:35Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard-coded credentials. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-jf35-jg3h-pwmh",
"modified": "2026-04-20T00:30:13Z",
"published": "2026-04-20T00:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6578"
},
{
"type": "WEB",
"url": "https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-3-Hardcoded-Django-SECRET_KEY.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/790283"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358213"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358213/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JVC3-9VPF-MX93
Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-10 18:30Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password.
{
"affected": [],
"aliases": [
"CVE-2023-37231"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T14:15:12Z",
"severity": "CRITICAL"
},
"details": "Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password.",
"id": "GHSA-jvc3-9vpf-mx93",
"modified": "2024-09-10T18:30:44Z",
"published": "2024-09-10T15:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37231"
},
{
"type": "WEB",
"url": "https://code-white.com"
},
{
"type": "WEB",
"url": "https://code-white.com/public-vulnerability-list"
},
{
"type": "WEB",
"url": "https://docs.loftware.com/spectrum-releasenotes/Content/Hotfix/4.6_HF14.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JW33-CFXV-R7R3
Vulnerability from github – Published: 2025-10-12 21:30 – Updated: 2025-10-12 21:30A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. Affected by this vulnerability is an unknown functionality of the file /squashfs-root/furbo_img of the component MQTT Client Certificate. Performing manipulation results in hard-coded credentials. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-11643"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-12T20:15:39Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in Tomofun Furbo 360 and Furbo Mini. Affected by this vulnerability is an unknown functionality of the file /squashfs-root/furbo_img of the component MQTT Client Certificate. Performing manipulation results in hard-coded credentials. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitation appears to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-jw33-cfxv-r7r3",
"modified": "2025-10-12T21:30:16Z",
"published": "2025-10-12T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11643"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.328054"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.328054"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.661875"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JXV5-HHVX-CMG6
Vulnerability from github – Published: 2025-03-18 15:30 – Updated: 2025-03-21 18:31On IROAD v9 devices, the dashcam has hardcoded default credentials ("qwertyuiop") that cannot be changed by the user. This allows an attacker within Wi-Fi range to connect to the device's network to perform sniffing.
{
"affected": [],
"aliases": [
"CVE-2025-30106"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-18T14:15:46Z",
"severity": "HIGH"
},
"details": "On IROAD v9 devices, the dashcam has hardcoded default credentials (\"qwertyuiop\") that cannot be changed by the user. This allows an attacker within Wi-Fi range to connect to the device\u0027s network to perform sniffing.",
"id": "GHSA-jxv5-hhvx-cmg6",
"modified": "2025-03-21T18:31:34Z",
"published": "2025-03-18T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30106"
},
{
"type": "WEB",
"url": "https://github.com/geo-chen/IROAD-V"
},
{
"type": "WEB",
"url": "https://iroad-dashcam.nl/iroad/iroad-x5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M3J7-7X7F-J7PF
Vulnerability from github – Published: 2022-05-17 04:11 – Updated: 2025-11-03 21:30Hospira MedNet before 6.1 uses a hardcoded cleartext password to control SQL database authorization, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password.
{
"affected": [],
"aliases": [
"CVE-2014-5405"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-04-03T10:59:00Z",
"severity": "HIGH"
},
"details": "Hospira MedNet before 6.1 uses a hardcoded cleartext password to control SQL database authorization, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password.",
"id": "GHSA-m3j7-7x7f-j7pf",
"modified": "2025-11-03T21:30:29Z",
"published": "2022-05-17T04:11:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5405"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-090-03.json"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-090-03"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M4GP-F859-3H4X
Vulnerability from github – Published: 2025-07-07 09:30 – Updated: 2025-07-07 09:30A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application's installation directory could extract these credentials, potentially leading to a complete compromise of the application's administrative functions. This issue was fixed in version 2025.03.27 of the SUR-FBD CMMS software.
{
"affected": [],
"aliases": [
"CVE-2025-3920"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T09:15:26Z",
"severity": "HIGH"
},
"details": "A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application\u0027s installation directory could extract these credentials, potentially leading to a complete compromise of the application\u0027s administrative functions.\u00a0This issue was fixed in version 2025.03.27 of the SUR-FBD CMMS software.",
"id": "GHSA-m4gp-f859-3h4x",
"modified": "2025-07-07T09:30:26Z",
"published": "2025-07-07T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3920"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/07/CVE-2025-3920"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Mitigation
For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Mitigation
Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved.
- Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
For front-end to back-end connections: Three solutions are possible, although none are complete.
No CAPEC attack patterns related to this CWE.