CVEbaza.plCWE DictionaryCWE-259
Common Weakness Enumeration

CWE-259

Use of Hard-coded Password

Category: VariantCVE: 194
Description

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

CVE vulnerabilities with CWE-259 (194)
10.0
CVSS
CRITICAL
CVE-2024-32741

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains hard coded password which is used for the privileged system user `root` and for the boot loader `GRUB` by default . An attacker who manages to crack the password hash gains root access to the device.

pub. 2024-05-14
10.0
CVSS
CRITICAL
CVE-2022-45444

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application’s database. This could allow a remote attacker to login to the database with unrestricted access.

pub. 2023-01-18
10.0
CVSS
HIGH
CVE-2014-2363

Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

pub. 2014-07-26
10.0
CVSS
HIGH
CVE-2012-5862

These Sinapsi devices store hard-coded passwords in the PHP file of the device. By using the hard-coded passwords in the device, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access.

pub. 2012-11-23
9.9
CVSS
CRITICAL
CVE-2025-20286

A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same. An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports. A successful exploit could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. Note: If the Primary Administration node is deployed in the cloud, then Cisco ISE is affected by this vulnerability. If the Primary Administration node is on-premises, then it is not affected.

pub. 2025-06-04
9.8
CVSS
CRITICAL
CVE-2026-35905

T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account.

pub. 2026-06-04
9.8
CVSS
CRITICAL
CVE-2025-70041

An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.

pub. 2026-03-11
9.8
CVSS
CRITICAL
CVE-2025-30115

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Default Credentials Cannot Be Changed. It uses a fixed default SSID and password ("qwertyuiop"), which cannot be modified by users. The SSID is continuously broadcast, allowing unauthorized access to the device network.

pub. 2025-03-18
9.8
CVSS
CRITICAL
CVE-2025-27638

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.1002 Application 20.0.2614 allows Hardcoded Password V-2024-013.

pub. 2025-03-05
9.8
CVSS
CRITICAL
CVE-2025-1100

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.

pub. 2025-02-12
9.8
CVSS
CRITICAL
CVE-2024-25825

FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password.

pub. 2024-10-09
9.8
CVSS
CRITICAL
CVE-2023-37231

Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password.

pub. 2024-09-10
9.8
CVSS
CRITICAL
CVE-2024-42639

H3C GR1100-P v100R009 was discovered to use a hardcoded password in /etc/shadow, which allows attackers to log in as root.

pub. 2024-08-16
9.8
CVSS
CRITICAL
CVE-2024-41616

D-Link DIR-300 REVA FIRMWARE v1.06B05_WW contains hardcoded credentials in the Telnet service.

pub. 2024-08-06
9.8
CVSS
CRITICAL
CVE-2024-36526

ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key.

pub. 2024-07-09
9.8
CVSS
CRITICAL
CVE-2023-46685

A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command execution.

pub. 2024-07-08
9.8
CVSS
CRITICAL
CVE-2024-38902

H3C Magic R230 V100R002 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

pub. 2024-06-24
9.8
CVSS
CRITICAL
CVE-2024-33625

CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.

pub. 2024-05-15
9.8
CVSS
CRITICAL
CVE-2024-34025

CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.

pub. 2024-05-15
9.8
CVSS
CRITICAL
CVE-2024-31810

TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a hardcoded password for root at /etc/shadow.sample.

pub. 2024-05-14
Showing 20 of 194 vulnerabilities
Information
ID: CWE-259
Type: Variant
Vulnerabilities: 194
MITRE CWE ↗
← CWE Dictionary