Total
1385 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-38337 | 1 Mobatek | 1 Mobaxterm | 2025-04-24 | N/A | 9.1 CRITICAL |
| When aborting a SFTP connection, MobaXterm before v22.1 sends a hardcoded password to the server. The server treats this as an invalid login attempt which can result in a Denial of Service (DoS) for the user if services like fail2ban are used. | |||||
| CVE-2025-2765 | 2025-04-23 | N/A | 7.6 HIGH | ||
| CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the wireless hotspot. The issue results from the use of hard-coded credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-24349. | |||||
| CVE-2023-40236 | 1 Pexip | 1 Virtual Meeting Rooms | 2025-04-23 | N/A | 5.3 MEDIUM |
| In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass. | |||||
| CVE-2022-34840 | 1 Buffalo | 18 Hw-450hp-zwe, Hw-450hp-zwe Firmware, Wzr-300hp and 15 more | 2025-04-23 | N/A | 6.5 MEDIUM |
| Use of hard-coded credentials vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to alter?configuration settings of the device. The affected products/versions are as follows: WZR-300HP firmware Ver. 2.00 and earlier, WZR-450HP firmware Ver. 2.00 and earlier, WZR-600DHP firmware Ver. 2.00 and earlier, WZR-900DHP firmware Ver. 1.15 and earlier, HW-450HP-ZWE firmware Ver. 2.00 and earlier, WZR-450HP-CWT firmware Ver. 2.00 and earlier, WZR-450HP-UB firmware Ver. 2.00 and earlier, WZR-600DHP2 firmware Ver. 1.15 and earlier, and WZR-D1100H firmware Ver. 2.00 and earlier. | |||||
| CVE-2025-28230 | 2025-04-22 | N/A | 9.1 CRITICAL | ||
| Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials. | |||||
| CVE-2025-30406 | 1 Gladinet | 1 Centrestack | 2025-04-22 | N/A | 9.0 CRITICAL |
| Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config. | |||||
| CVE-2017-2283 | 1 Iodata | 2 Wn-g300r3, Wn-g300r3 Firmware | 2025-04-20 | 5.8 MEDIUM | 8.0 HIGH |
| WN-G300R3 firmware version 1.0.2 and earlier uses hardcoded credentials which may allow an attacker that can access the device to execute arbitrary code on the device. | |||||
| CVE-2017-5167 | 1 Binom3 | 2 Universal Multifunctional Electric Power Quality Meter, Universal Multifunctional Electric Power Quality Meter Firmware | 2025-04-20 | 7.5 HIGH | 8.6 HIGH |
| An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. Users do not have any option to change their own passwords. | |||||
| CVE-2017-7576 | 1 Dragonwavex | 2 Horizon Wireless Radio, Horizon Wireless Radio Firmware | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| DragonWave Horizon 1.01.03 wireless radios have hardcoded login credentials (such as the username of energetic and password of wireless) meant to allow the vendor to access the devices. These credentials can be used in the web interface or by connecting to the device via TELNET. This is fixed in recent versions including 1.4.8. | |||||
| CVE-2017-9488 | 1 Cisco | 4 Dpc3939, Dpc3939 Firmware, Dpc3941t and 1 more | 2025-04-20 | 5.8 MEDIUM | 8.8 HIGH |
| The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) and DPC3941T (firmware version DPC3941_2.5s3_PROD_sey) devices allows remote attackers to access the web UI by establishing a session to the wan0 WAN IPv6 address and then entering unspecified hardcoded credentials. This wan0 interface cannot be accessed from the public Internet. | |||||
| CVE-2017-17107 | 1 Zivif | 2 Pr115-204-p-rs, Pr115-204-p-rs Firmware | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session. | |||||
| CVE-2017-6022 | 1 Bd | 2 Kla Journal Service, Performa | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database. | |||||
| CVE-2015-2887 | 1 Ibaby | 2 M3s Baby Monitor, M3s Baby Monitor Firmware | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| iBaby M3S has a password of admin for the backdoor admin account. | |||||
| CVE-2017-9957 | 1 Schneider-electric | 1 U.motion Builder | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the web service contains a hidden system account with a hardcoded password. An attacker can use this information to log into the system with high-privilege credentials. | |||||
| CVE-2017-9649 | 1 Mirion Technologies | 14 Dmc 3000, Dmc 3000 Firmware, Drm-1\/2 and 11 more | 2025-04-20 | 5.4 MEDIUM | 5.0 MEDIUM |
| A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). An unchangeable, factory-set key is included in the 900 MHz transmitter firmware. | |||||
| CVE-2017-11694 | 1 Medhost | 1 Medhost Document Management System | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| MEDHOST Document Management System contains hard-coded credentials that are used for Apache Solr access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with Apache Solr may be able to obtain or modify sensitive patient and financial information. The Apache Solr account name is dms. The password is hard-coded throughout the application, and is the same across all installations. Customers do not have the option to change passwords. The dms account for Apache Solr has access to all indexed patient documents. | |||||
| CVE-2017-8772 | 1 Twsz | 2 Wifi Repeater, Wifi Repeater Firmware | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:"root" password:"root") and can: 1. Read the entire file system; 2. Write to the file system; or 3. Execute any code that attacker desires (malicious or not). | |||||
| CVE-2016-10307 | 1 Gotrango | 10 Apex Lynx, Apex Lynx Firmware, Apex Orion and 7 more | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Trango ApexLynx 2.0, ApexOrion 2.0, GigaLynx 2.0, GigaOrion 2.0, and StrataLink 3.0 devices have a built-in, hidden root account, with a default password for which the MD5 hash value is public (but the cleartext value is perhaps not yet public). This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it. | |||||
| CVE-2016-8567 | 1 Siemens | 1 Sicam Pas\/pqs | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Siemens SICAM PAS before 8.00. A factory account with hard-coded passwords is present in the SICAM PAS installations. Attackers might gain privileged access to the database over Port 2638/TCP. | |||||
| CVE-2017-14021 | 1 Korenix | 18 Jetnet5018g Firmware, Jetnet5310g Firmware, Jetnet5428g-2g-2fx Firmware and 15 more | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. An attacker may gain access to hard-coded certificates and private keys allowing the attacker to perform man-in-the-middle attacks. | |||||