Common Weakness Enumeration

CWE-798

Allowed-with-Review

Use of Hard-coded Credentials

Abstraction: Base · Status: Draft

The product contains hard-coded credentials, such as a password or cryptographic key.

2178 vulnerabilities reference this CWE, most recent first.

GHSA-4M32-CJV7-F425

Vulnerability from github – Published: 2025-11-14 21:52 – Updated: 2026-05-12 13:31
VLAI
Summary
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
Details

Summary

AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin.

Details

AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported here, enabling arbitrary command execution on the target host.

Impact

All publicly accessible AstrBot instances are vulnerable.

For more information, please see: CVE-2025-55449-AstrBot-RCE

Patch

This vulnerability was first reported on 2025-06-21 and was patched on the same day (2025-06-21).

The vulnerability was publicly disclosed on 2025-11-14. Prior to public disclosure, monitoring from AstrBot Cloud indicated that fewer than 2% of deployed instances were still running the affected version. Therefore, this disclosure is not expected to have a significant impact on existing active instances.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "astrbot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-345",
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T21:52:23Z",
    "nvd_published_at": "2026-05-08T07:16:28Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin.\n\n### Details\n\nAstrBot uses a [hard-coded JWT signing key](https://github.com/AstrBotDevs/AstrBot/blob/v3.5.16/astrbot/core/__init__.py), which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported [here](https://github.com/AstrBotDevs/AstrBot/blob/master/astrbot/dashboard/routes/plugin.py), enabling arbitrary command execution on the target host.\n\n### Impact\n\nAll publicly accessible AstrBot instances are vulnerable.\n\nFor more information, please see: [CVE-2025-55449-AstrBot-RCE](https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE)\n\n### Patch\n\nThis vulnerability was first reported on **2025-06-21** and was patched on the **same day** (2025-06-21).\n\nThe vulnerability was publicly disclosed on **2025-11-14**. Prior to public disclosure, monitoring from AstrBot Cloud indicated that fewer than 2% of deployed instances were still running the affected version. Therefore, this disclosure is not expected to have a significant impact on existing active instances.",
  "id": "GHSA-4m32-cjv7-f425",
  "modified": "2026-05-12T13:31:11Z",
  "published": "2025-11-14T21:52:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-4m32-cjv7-f425"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/commit/d03e9fb90a0921a1bd10cf480bdacc9aaa246472"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AstrBotDevs/AstrBot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AstrBotDevs/AstrBot/releases/tag/v3.5.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AstrBot is vulnerable to RCE with hard-coded JWT signing keys"
}

GHSA-4M4R-X763-43Q2

Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-04 00:00
VLAI
Details

Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T03:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions.",
  "id": "GHSA-4m4r-x763-43q2",
  "modified": "2022-03-04T00:00:35Z",
  "published": "2022-02-25T00:01:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25329"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000290507"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2022-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4M62-4495-GJ4G

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability. A remote unauthenticated malicious user could exploit this vulnerability and gain administrative privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-19T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability. A remote unauthenticated malicious user could exploit this vulnerability and gain administrative privileges.",
  "id": "GHSA-4m62-4495-gj4g",
  "modified": "2022-05-24T19:08:30Z",
  "published": "2022-05-24T19:08:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5349"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/article/en-us/sln320599/dsa-2020-074-dell-networking-security-update-for-a-hardcoded-credential-vulnerability?lang=en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4MM6-CG2P-RQ25

Vulnerability from github – Published: 2022-05-14 02:51 – Updated: 2022-05-14 02:51
VLAI
Details

Softing FG-100 PB PROFIBUS firmware version FG-x00-PB_V2.02.0.00 contains a hardcoded password for the root account, which allows remote attackers to obtain administrative access via a TELNET session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-6617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-09T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Softing FG-100 PB PROFIBUS firmware version FG-x00-PB_V2.02.0.00 contains a hardcoded password for the root account, which allows remote attackers to obtain administrative access via a TELNET session.",
  "id": "GHSA-4mm6-cg2p-rq25",
  "modified": "2022-05-14T02:51:14Z",
  "published": "2022-05-14T02:51:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6617"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98512"
    },
    {
      "type": "WEB",
      "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2014-005_softring_backdoor_account.txt"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/128976/Softing-FG-100-PB-Hardcoded-Backdoor.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/533902/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70927"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4MQF-R24P-F3VH

Vulnerability from github – Published: 2026-02-13 00:32 – Updated: 2026-02-13 00:32
VLAI
Details

Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T23:16:03Z",
    "severity": "CRITICAL"
  },
  "details": "Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username \u0027admin\u0027 and password \u0027admin\u0027 in the hidden form input fields.",
  "id": "GHSA-4mqf-r24p-f3vh",
  "modified": "2026-02-13T00:32:52Z",
  "published": "2026-02-13T00:32:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25322"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20190724160628/https://www.heatmiser.com/en"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47823"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/heatmiser-netmonitor-hardcoded-credentials"
    },
    {
      "type": "WEB",
      "url": "https://www.zoneregeling.nl/heatmiser/netmonitor-handleiding.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4PGR-VXFC-4WM7

Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00
VLAI
Details

Wavlink WN530HG4 M30HG4.V5030.191116 was discovered to contain a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-20T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Wavlink WN530HG4 M30HG4.V5030.191116 was discovered to contain a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh.",
  "id": "GHSA-4pgr-vxfc-4wm7",
  "modified": "2022-07-28T00:00:41Z",
  "published": "2022-07-21T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34045"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1s5uZGC_iSzfCJt9BJ8h-P24vmsrmttrf/view?usp=sharing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PJ9-45VQ-JVVH

Vulnerability from github – Published: 2023-05-04 00:30 – Updated: 2024-04-04 03:47
VLAI
Details

A use of hard-coded credentials vulnerability [CWE-798] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an authenticated attacker to access to the database via shell commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-03T22:15:18Z",
    "severity": "HIGH"
  },
  "details": "A use of hard-coded credentials vulnerability [CWE-798] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an authenticated attacker to access to the database via shell commands.",
  "id": "GHSA-4pj9-45vq-jvvh",
  "modified": "2024-04-04T03:47:44Z",
  "published": "2023-05-04T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26203"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-520"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PQ3-X47M-6W2Q

Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05
VLAI
Details

Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-26T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users\u0027 Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed.",
  "id": "GHSA-4pq3-x47m-6w2q",
  "modified": "2022-05-14T01:05:26Z",
  "published": "2022-05-14T01:05:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3762"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/product_security/LEN-15999"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/05/08/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/05/08/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/05/08/5"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102837"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PVM-5X6H-F3QP

Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-01-14 15:30
VLAI
Details

A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T14:15:33Z",
    "severity": "LOW"
  },
  "details": "A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.",
  "id": "GHSA-4pvm-5x6h-f3qp",
  "modified": "2025-01-14T15:30:54Z",
  "published": "2025-01-14T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50564"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-216"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QPP-M6MP-8JJ7

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contain three credentials with known passwords: QDMaster, OTMaster, and sa.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-19T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contain three credentials with known passwords: QDMaster, OTMaster, and sa.",
  "id": "GHSA-4qpp-m6mp-8jj7",
  "modified": "2022-05-13T01:32:05Z",
  "published": "2022-05-13T01:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5551"
    },
    {
      "type": "WEB",
      "url": "https://blog.rapid7.com/2018/03/14/r7-2018-01-cve-2018-5551-cve-2018-5552-docutrac-office-therapy-installer-hard-coded-credentials-and-cryptographic-salt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
  • In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
Architecture and Design

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

Mitigation
Architecture and Design

If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.

Mitigation
Architecture and Design
  • For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
  • Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Architecture and Design
  • For front-end to back-end connections: Three solutions are possible, although none are complete.
  • The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
  • Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
  • Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

CAPEC-70: Try Common or Default Usernames and Passwords

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.