CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2176 vulnerabilities reference this CWE, most recent first.
GHSA-3VV5-PRRW-675Q
Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42COMPAREX Miss Marple Enterprise Edition before 2.0 allows local users to execute arbitrary code by reading the user name and encrypted password hard-coded in an Inventory Agent configuration file.
{
"affected": [],
"aliases": [
"CVE-2018-19233"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T17:29:00Z",
"severity": "HIGH"
},
"details": "COMPAREX Miss Marple Enterprise Edition before 2.0 allows local users to execute arbitrary code by reading the user name and encrypted password hard-coded in an Inventory Agent configuration file.",
"id": "GHSA-3vv5-prrw-675q",
"modified": "2022-05-14T01:42:28Z",
"published": "2022-05-14T01:42:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19233"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2018/Nov/37"
},
{
"type": "WEB",
"url": "https://www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-miss-marple-enterprise-edition"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/150427/Miss-Marple-Enterprise-Edition-File-Upload-Hardcoded-AES-Key.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Nov/55"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3W5R-GMMJ-PRC2
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2025-10-22 00:31An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
{
"affected": [],
"aliases": [
"CVE-2020-8657"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.",
"id": "GHSA-3w5r-gmmj-prc2",
"modified": "2025-10-22T00:31:50Z",
"published": "2022-05-24T17:08:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8657"
},
{
"type": "WEB",
"url": "https://github.com/EyesOfNetworkCommunity/eonapi/issues/17"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8657"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3W88-GMX5-RX4V
Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2022-09-03 00:00Nortek Linear eMerge E3-Series devices through 0.32-09c place admin credentials in /test.txt that allow an attacker to open a building's doors. (This occurs in situations where the CVE-2019-7271 default credentials have been changed.)
{
"affected": [],
"aliases": [
"CVE-2022-31269"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-25T22:15:00Z",
"severity": "HIGH"
},
"details": "Nortek Linear eMerge E3-Series devices through 0.32-09c place admin credentials in /test.txt that allow an attacker to open a building\u0027s doors. (This occurs in situations where the CVE-2019-7271 default credentials have been changed.)",
"id": "GHSA-3w88-gmx5-rx4v",
"modified": "2022-09-03T00:00:17Z",
"published": "2022-08-26T00:03:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31269"
},
{
"type": "WEB",
"url": "https://eg.linkedin.com/in/omar-1-hashem"
},
{
"type": "WEB",
"url": "https://gist.github.com/omarhashem123/71ec9223e90ea76a76096d777d9b945c"
},
{
"type": "WEB",
"url": "https://www.nortekcontrol.com/access-control"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167990/Nortek-Linear-eMerge-E3-Series-Credential-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3WR6-M7V6-4X3G
Vulnerability from github – Published: 2022-02-01 00:00 – Updated: 2026-07-05 00:31PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use a hardcoded APP_KEY value, leading to pre-auth remote code execution.
{
"affected": [],
"aliases": [
"CVE-2021-42635"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-31T18:15:00Z",
"severity": "HIGH"
},
"details": "PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use a hardcoded APP_KEY value, leading to pre-auth remote code execution.",
"id": "GHSA-3wr6-m7v6-4x3g",
"modified": "2026-07-05T00:31:24Z",
"published": "2022-02-01T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42635"
},
{
"type": "WEB",
"url": "https://portswigger.net/daily-swig/printerlogic-vendor-addresses-triple-rce-threat-against-all-connected-endpoints"
},
{
"type": "WEB",
"url": "https://securityaffairs.co/wordpress/127194/security/printerlogic-printer-management-suite-flaws.html"
},
{
"type": "WEB",
"url": "https://thecyberthrone.in/2022/01/26/printerlogic-%F0%9F%96%A8-fixes-critical-vulnerabilities-in-its-suite/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=printerlogic-%25f0%259f%2596%25a8-fixes-critical-vulnerabilities-in-its-suite"
},
{
"type": "WEB",
"url": "https://www.printerlogic.com/security-bulletin"
},
{
"type": "WEB",
"url": "https://www.securityweek.com/printerlogic-patches-code-execution-flaws-printer-management-suite"
},
{
"type": "WEB",
"url": "https://www.yahooinc.com/paranoids/paranoids-vulnerability-research-printerlogic-issues-security-alert"
},
{
"type": "WEB",
"url": "http://printerlogic.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3WXJ-WJ2J-9JPG
Vulnerability from github – Published: 2024-01-12 18:30 – Updated: 2024-01-22 21:31The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware.
Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
{
"affected": [],
"aliases": [
"CVE-2023-28897"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T16:15:51Z",
"severity": "MODERATE"
},
"details": "The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware.\n\nVulnerability discovered on \u0160koda Superb III (3V3) - 2.0 TDI manufactured in 2022.\n",
"id": "GHSA-3wxj-wj2j-9jpg",
"modified": "2024-01-22T21:31:05Z",
"published": "2024-01-12T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28897"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/cve-2023-28897"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3X39-7GWG-8X8P
Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-09-24 21:30Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Application prior to 20.0.2368 (VA and SaaS deployments) contain shared, hardcoded SSH host private keys in the appliance image. The same private host keys (RSA, ECDSA, and ED25519) are present across installations, rather than being uniquely generated per appliance. An attacker who obtains these private keys (for example from one compromised appliance image or another installation) can impersonate the appliance, decrypt or intercept SSH connections to appliances that use the same keys, and perform man-in-the-middle or impersonation attacks against administrative SSH sessions.
{
"affected": [],
"aliases": [
"CVE-2025-34198"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T19:15:40Z",
"severity": "CRITICAL"
},
"details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Application prior to 20.0.2368 (VA and SaaS deployments) contain shared, hardcoded SSH host private keys in the appliance image. The same private host keys (RSA, ECDSA, and ED25519) are present across installations, rather than being uniquely generated per appliance. An attacker who obtains these private keys (for example from one compromised appliance image or another installation) can impersonate the appliance, decrypt or intercept SSH connections to appliances that use the same keys, and perform man-in-the-middle or impersonation attacks against administrative SSH sessions.",
"id": "GHSA-3x39-7gwg-8x8p",
"modified": "2025-09-24T21:30:36Z",
"published": "2025-09-19T21:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34198"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-ssh-keys"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-shared-hardcoded-ssh-host-private-keys-in-appliance-image"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3X5J-9VWR-8RR5
Vulnerability from github – Published: 2023-02-23 22:10 – Updated: 2024-09-20 21:41Impact
This is a vulnerability which affects anyone using Gradio's share links (i.e. creating a Gradio app and then setting share=True) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides.
Patches
The problem has been patched. Ideally, users should upgrade to gradio==3.19.1 or later where the FRP solution has been properly tested.
Credit
Credit to Greg Sadetsky and Samuel Tremblay-Cossette for alerting the team
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gradio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-25823"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-23T22:10:19Z",
"nvd_published_at": "2023-02-23T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThis is a vulnerability which affects anyone using Gradio\u0027s share links (i.e. creating a Gradio app and then setting `share=True`) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users\u0027 shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. \n\n### Patches\nThe problem has been patched. Ideally, users should upgrade to `gradio==3.19.1` or later where the FRP solution has been properly tested. \n\n### Credit\nCredit to Greg Sadetsky and Samuel Tremblay-Cossette for alerting the team",
"id": "GHSA-3x5j-9vwr-8rr5",
"modified": "2024-09-20T21:41:25Z",
"published": "2023-02-23T22:10:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25823"
},
{
"type": "PACKAGE",
"url": "https://github.com/gradio-app/gradio"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Update share links to use FRP instead of SSH tunneling"
}
GHSA-3XH8-38H4-QX97
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
{
"affected": [],
"aliases": [
"CVE-2017-13100"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-15T22:29:00Z",
"severity": "HIGH"
},
"details": "DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.",
"id": "GHSA-3xh8-38h4-qx97",
"modified": "2022-05-13T01:37:42Z",
"published": "2022-05-13T01:37:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13100"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/787952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3XPF-GG8X-9H3C
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.
{
"affected": [],
"aliases": [
"CVE-2021-27952"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-03T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.",
"id": "GHSA-3xpf-gg8x-9h3c",
"modified": "2022-05-24T19:09:52Z",
"published": "2022-05-24T19:09:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27952"
},
{
"type": "WEB",
"url": "https://www.l9group.com/advisories/hard-coded-default-root-credentials-for-all-ecobee3-lite-devices"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-423R-R42Q-J5MC
Vulnerability from github – Published: 2025-10-28 06:31 – Updated: 2025-10-28 06:31Use of Hard-Coded Credentials issue exists in MZK-DP300N version 1.07 and earlier, which may allow an attacker within the local network to log in to the affected device via Telnet and execute arbitrary commands.
{
"affected": [],
"aliases": [
"CVE-2025-62777"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-28T05:15:48Z",
"severity": "HIGH"
},
"details": "Use of Hard-Coded Credentials issue exists in MZK-DP300N version 1.07 and earlier, which may allow an attacker within the local network to log in to the affected device via Telnet and execute arbitrary commands.",
"id": "GHSA-423r-r42q-j5mc",
"modified": "2025-10-28T06:31:05Z",
"published": "2025-10-28T06:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62777"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN00021602"
},
{
"type": "WEB",
"url": "https://www.planex.co.jp/products/mzk-dp300n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.