CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2171 vulnerabilities reference this CWE, most recent first.
CVE-2025-6982 (GCVE-0-2025-6982)
Vulnerability from cvelistv5 – Published: 2025-07-16 20:01 – Updated: 2026-04-22 21:24 Unsupported When Assigned- CWE-798 - Use of Hard-coded Credentials
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer C50 V3 |
Affected:
0 , ≤ 180703
(date)
|
|
| TP-Link Systems Inc. | Archer C50 V4 |
Affected:
0 , ≤ 250117
(date)
|
|
| TP-Link Systems Inc. | Archer C50 V5 |
Affected:
0 , ≤ 200407
(date)
|
|
| TP-Link Systems Inc. | Archer C20 V5 |
Affected:
0 , < US_V5_260419
(custom)
Affected: 0 , < EU_V5_260317 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:20:25.297362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:20:32.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:07:18.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/554637"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Archer C50 V3",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThanOrEqual": "180703",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer C50 V4",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThanOrEqual": "250117",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer C50 V5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThanOrEqual": "200407",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer C20 V5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "US_V5_260419",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "EU_V5_260317",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Credentials in TP-Link Archer C50 V3(\n\n\u003cb\u003e\u0026lt;=\u003c/b\u003e\n\n180703)/V4(\n\n\n\n\u003cb\u003e\u0026lt;=\u003c/b\u003e\n\n250117\n\n)/V5(\n\n\n\n\u003cb\u003e\u0026lt;=\u003c/b\u003e\n\n200407\n\n), and C20 V5 (\u0026lt;US_V5_260419 or \u0026lt;EU_V5_260317)\u0026nbsp;\u003cspan\u003eallows attackers to decrypt the config.xml files.\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Use of Hard-coded Credentials in TP-Link Archer C50 V3(\n\n\u003c=\n\n180703)/V4(\n\n\n\n\u003c=\n\n250117\n\n)/V5(\n\n\n\n\u003c=\n\n200407\n\n), and C20 V5 (\u003cUS_V5_260419 or \u003cEU_V5_260317)\u00a0allows attackers to decrypt the config.xml files."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T21:24:12.188Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/4538/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/archer-c20/v5/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Hardcoded DES Decryption Keys in TP-Link Archer C50 V3/V4/V5 and C20 V5",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2025-6982",
"datePublished": "2025-07-16T20:01:41.382Z",
"dateReserved": "2025-07-01T20:09:03.975Z",
"dateUpdated": "2026-04-22T21:24:12.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6950 (GCVE-0-2025-6950)
Vulnerability from cvelistv5 – Published: 2025-10-17 03:19 – Updated: 2025-10-17 14:26- CWE-798 - Use of Hard-coded Credentials
| URL | Tags |
|---|---|
| https://www.moxa.com/en/support/product-support/s… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Moxa | EDR-G9010 Series |
Affected:
1.0 , ≤ 3.14
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | EDR-8010 Series |
Affected:
1.0 , ≤ 3.17
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | EDF-G1002-BP Series |
Affected:
1.0 , ≤ 3.17
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | TN-4900 Series |
Affected:
1.0 , ≤ 3.14
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | NAT-102 Series |
Affected:
1.0 , ≤ 3.17
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | NAT-108 Series |
Affected:
1.0 , ≤ 3.16
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | OnCell G4302-LTE4 Series |
Affected:
1.0 , ≤ 3.13
(custom)
Unaffected: 3.21.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-17T14:26:30.676617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T14:26:45.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EDR-G9010 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.14",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EDR-8010 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.17",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EDF-G1002-BP Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.17",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TN-4900 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.14",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "NAT-102 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.17",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "NAT-108 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.16",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OnCell G4302-LTE4 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.13",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn Use of Hard-coded Credentials vulnerability has been identified in Moxa\u2019s network security appliances and routers. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003etheft, and full administrative control over the affected \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edevice. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhile successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An Use of Hard-coded Credentials vulnerability has been identified in Moxa\u2019s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37: Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T03:19:48.223Z",
"orgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa",
"shortName": "Moxa"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-2025-6893,-cve-2025-6894,-cve-2025-6949,-cve-2025-6950-multiple-vulnerabilities-in-netwo"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Moxa has developed appropriate solutions to address the vulnerability. Please refer to\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-2025-6893,-cve-2025-6894,-cve-2025-6949,-cve-2025-6950-multiple-vulnerabilities-in-netwo\"\u003ehttps://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-202...\u003c/a\u003e"
}
],
"value": "Moxa has developed appropriate solutions to address the vulnerability. Please refer to\u00a0 https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-202... https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-2025-6893,-cve-2025-6894,-cve-2025-6949,-cve-2025-6950-multiple-vulnerabilities-in-netwo"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa",
"assignerShortName": "Moxa",
"cveId": "CVE-2025-6950",
"datePublished": "2025-10-17T03:19:48.223Z",
"dateReserved": "2025-07-01T05:10:28.304Z",
"dateUpdated": "2025-10-17T14:26:45.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5751 (GCVE-0-2025-5751)
Vulnerability from cvelistv5 – Published: 2025-06-06 15:29 – Updated: 2025-06-06 15:54- CWE-798 - Use of Hard-coded Credentials
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| WOLFBOX | Level 2 EV Charger |
Affected:
3.1.17 (main), 1.2.6 (MCU)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T15:54:35.554385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T15:54:40.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Level 2 EV Charger",
"vendor": "WOLFBOX",
"versions": [
{
"status": "affected",
"version": "3.1.17 (main), 1.2.6 (MCU)"
}
]
}
],
"dateAssigned": "2025-06-05T20:45:43.884Z",
"datePublic": "2025-06-06T15:28:39.986Z",
"descriptions": [
{
"lang": "en",
"value": "WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of management cards. The issue results from the lack of personalization of management cards. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26292."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T15:29:51.274Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-330",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-330/"
}
],
"source": {
"lang": "en",
"value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)"
},
"title": "WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-5751",
"datePublished": "2025-06-06T15:29:51.274Z",
"dateReserved": "2025-06-05T20:45:43.845Z",
"dateUpdated": "2025-06-06T15:54:40.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5379 (GCVE-0-2025-5379)
Vulnerability from cvelistv5 – Published: 2025-05-31 13:31 – Updated: 2025-06-02 15:47| URL | Tags |
|---|---|
| https://vuldb.com/?id.310672 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.310672 | signaturepermissions-required |
| https://vuldb.com/?submit.582868 | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T15:28:08.424359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:47:52.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Console Application"
],
"product": "NC-WR744G",
"vendor": "NuCom",
"versions": [
{
"status": "affected",
"version": "8.5.5 Build 20200530.307"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "matuii (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in NuCom NC-WR744G 8.5.5 Build 20200530.307. This vulnerability affects unknown code of the component Console Application. The manipulation of the argument CMCCAdmin/useradmin/CUAdmin leads to hard-coded credentials. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In NuCom NC-WR744G 8.5.5 Build 20200530.307 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Komponente Console Application. Durch Beeinflussen des Arguments CMCCAdmin/useradmin/CUAdmin mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-31T13:31:04.543Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-310672 | NuCom NC-WR744G Console Application hard-coded credentials",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.310672"
},
{
"name": "VDB-310672 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.310672"
},
{
"name": "Submit #582868 | NuCom NC-WR744G 8.5.5 (Build:20200530.307-TEMP) Cleartext Storage of Sensitive Information",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.582868"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-30T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-30T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-30T13:39:55.000Z",
"value": "VulDB entry last update"
}
],
"title": "NuCom NC-WR744G Console Application hard-coded credentials"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5379",
"datePublished": "2025-05-31T13:31:04.543Z",
"dateReserved": "2025-05-30T11:34:52.148Z",
"dateUpdated": "2025-06-02T15:47:52.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5023 (GCVE-0-2025-5023)
Vulnerability from cvelistv5 – Published: 2025-07-10 08:34 – Updated: 2025-09-19 00:11 Unsupported When Assigned- CWE-798 - Use of Hard-coded Credentials
| URL | Tags |
|---|---|
| https://www.mitsubishielectric.com/psirt/vulnerab… | vendor-advisory |
| https://jvn.jp/vu/JVNVU90283680/ | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Mitsubishi Electric Corporation | PV-DR004J |
Affected:
All versions
|
|
| Mitsubishi Electric Corporation | PV-DR004JA |
Affected:
All versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T14:03:35.221730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T14:03:50.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PV-DR004J",
"vendor": "Mitsubishi Electric Corporation",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PV-DR004JA",
"vendor": "Mitsubishi Electric Corporation",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020."
}
],
"value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Information disclosure, tampering, and denial-of-service (DoS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T00:11:19.035Z",
"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"shortName": "Mitsubishi"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf"
},
{
"tags": [
"government-resource"
],
"url": "https://jvn.jp/vu/JVNVU90283680/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"assignerShortName": "Mitsubishi",
"cveId": "CVE-2025-5023",
"datePublished": "2025-07-10T08:34:13.758Z",
"dateReserved": "2025-05-21T05:08:54.662Z",
"dateUpdated": "2025-09-19T00:11:19.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4633 (GCVE-0-2025-4633)
Vulnerability from cvelistv5 – Published: 2025-05-30 08:14 – Updated: 2025-05-30 13:55- CWE-798 - Use of Hard-coded Credentials
| Vendor | Product | Version | |
|---|---|---|---|
| JCT | Airpointer |
Affected:
2.4.107-2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T13:54:51.269093Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T13:55:29.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Airpointer",
"vendor": "JCT",
"versions": [
{
"status": "affected",
"version": "2.4.107-2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default credentials were present in the web portal for Airpointer 2.4.107-2, allowing an unauthenticated malicious actor to log in via the web portal"
}
],
"value": "Default credentials were present in the web portal for Airpointer 2.4.107-2, allowing an unauthenticated malicious actor to log in via the web portal"
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T08:14:50.821Z",
"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd",
"shortName": "GovTech CSG"
},
"references": [
{
"url": "https://jct-aq.com/products/airpointer2d/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Default Credentials",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd",
"assignerShortName": "GovTech CSG",
"cveId": "CVE-2025-4633",
"datePublished": "2025-05-30T08:14:50.821Z",
"dateReserved": "2025-05-13T01:42:10.990Z",
"dateUpdated": "2025-05-30T13:55:29.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4570 (GCVE-0-2025-4570)
Vulnerability from cvelistv5 – Published: 2025-07-21 07:52 – Updated: 2025-07-22 02:15- CWE-798 - Use of Hard-coded Credentials
| URL | Tags |
|---|---|
| https://www.asus.com/content/security-advisory/ | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T17:32:19.471208Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T17:35:33.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MyASUS",
"vendor": "ASUS",
"versions": [
{
"status": "affected",
"version": "4.0.35.0 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "MrBruh"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An insecure sensitive key storage issue was found in MyASUS.\u0026nbsp;potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services.\u003cbr\u003e\n\nRefer to the \u0027Security Update for for MyASUS\u0027 section on the ASUS Security Advisory for more information.\n\n\u003cbr\u003e"
}
],
"value": "An insecure sensitive key storage issue was found in MyASUS.\u00a0potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services.\n\n\nRefer to the \u0027Security Update for for MyASUS\u0027 section on the ASUS Security Advisory for more information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T02:15:20.471Z",
"orgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
"shortName": "ASUS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asus.com/content/security-advisory/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
"assignerShortName": "ASUS",
"cveId": "CVE-2025-4570",
"datePublished": "2025-07-21T07:52:00.800Z",
"dateReserved": "2025-05-12T09:02:57.366Z",
"dateUpdated": "2025-07-22T02:15:20.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4569 (GCVE-0-2025-4569)
Vulnerability from cvelistv5 – Published: 2025-07-21 07:51 – Updated: 2025-07-22 02:14- CWE-798 - Use of Hard-coded Credentials
| URL | Tags |
|---|---|
| https://www.asus.com/content/security-advisory/ | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4569",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T17:39:25.162005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T17:39:35.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MyASUS",
"vendor": "ASUS",
"versions": [
{
"status": "affected",
"version": "4.0.35.0 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "MrBruh"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An insecure sensitive key storage issue was found in MyASUS.\u0026nbsp;potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services.\u003cbr\u003e\n\nRefer to the \u0027Security Update for for MyASUS\u0027 section on the ASUS Security Advisory for more information.\n\n\u003cbr\u003e"
}
],
"value": "An insecure sensitive key storage issue was found in MyASUS.\u00a0potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services.\n\n\nRefer to the \u0027Security Update for for MyASUS\u0027 section on the ASUS Security Advisory for more information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T02:14:11.303Z",
"orgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
"shortName": "ASUS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asus.com/content/security-advisory/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
"assignerShortName": "ASUS",
"cveId": "CVE-2025-4569",
"datePublished": "2025-07-21T07:51:35.221Z",
"dateReserved": "2025-05-12T09:02:55.698Z",
"dateUpdated": "2025-07-22T02:14:11.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4378 (GCVE-0-2025-4378)
Vulnerability from cvelistv5 – Published: 2025-06-24 16:27 – Updated: 2026-06-05 14:50| URL | Tags |
|---|---|
| https://www.usom.gov.tr/bildirim/tr-25-0135 | government-resourcebroken-link |
| https://siberguvenlik.gov.tr/guvenlik-bildirimler… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Ataturk University | ATA-AOF Mobile Application |
Affected:
0 , < 20.06.2025
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T13:40:51.291402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T13:40:57.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ATA-AOF Mobile Application",
"vendor": "Ataturk University",
"versions": [
{
"lessThan": "20.06.2025",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Enes Alperen H\u00fcr\u00fcm"
},
{
"lang": "en",
"type": "reporter",
"value": "Berat U\u011fur Demirkan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass.\u003cp\u003eThis issue affects ATA-AOF Mobile Application: before 20.06.2025.\u003c/p\u003e"
}
],
"value": "Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass.\n\nThis issue affects ATA-AOF Mobile Application: before 20.06.2025."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T14:50:43.838Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"government-resource",
"broken-link"
],
"url": "https://www.usom.gov.tr/bildirim/tr-25-0135"
},
{
"tags": [
"government-resource"
],
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0135"
}
],
"source": {
"advisory": "TR-25-0135",
"defect": [
"TR-25-0135"
],
"discovery": "UNKNOWN"
},
"title": "Hardcoded Credentials in Ataturk University\u0027s ATA-AOF Mobile Application",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2025-4378",
"datePublished": "2025-06-24T16:27:02.988Z",
"dateReserved": "2025-05-06T08:00:28.847Z",
"dateUpdated": "2026-06-05T14:50:43.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4130 (GCVE-0-2025-4130)
Vulnerability from cvelistv5 – Published: 2025-07-21 14:01 – Updated: 2026-06-05 17:32- CWE-798 - Use of Hard-coded Credentials
| URL | Tags |
|---|---|
| https://www.usom.gov.tr/bildirim/tr-25-0166 | government-resourcebroken-link |
| https://siberguvenlik.gov.tr/guvenlik-bildirimler… | government-resource |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T14:44:11.839471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T14:46:39.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAVO Pay",
"vendor": "PAVO Inc.",
"versions": [
{
"lessThan": "13.05.2025",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mustafa Anil YILDIRIM"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable.\u003cp\u003eThis issue affects PAVO Pay: before 13.05.2025.\u003c/p\u003e"
}
],
"value": "Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable.\n\nThis issue affects PAVO Pay: before 13.05.2025."
}
],
"impacts": [
{
"capecId": "CAPEC-191",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-191 Read Sensitive Constants Within an Executable"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:32:13.519Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"government-resource",
"broken-link"
],
"url": "https://www.usom.gov.tr/bildirim/tr-25-0166"
},
{
"tags": [
"government-resource"
],
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0166"
}
],
"source": {
"advisory": "TR-25-0166",
"defect": [
"TR-25-0166"
],
"discovery": "UNKNOWN"
},
"title": "Hardcoded Credentials in PAVO Inc.\u0027s PAVO Pay",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2025-4130",
"datePublished": "2025-07-21T14:01:06.978Z",
"dateReserved": "2025-04-30T08:32:38.481Z",
"dateUpdated": "2026-06-05T17:32:13.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.