Total
1522 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34197 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-02 | N/A | 7.8 HIGH |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951, Application prior to 20.0.2368 (VA and SaaS deployments) contain an undocumented local user account named ubuntu with a preset password and a sudoers entry granting that account passwordless root privileges (ubuntu ALL=(ALL) NOPASSWD: ALL). Anyone who knows the hardcoded password can obtain root privileges via local console or equivalent administrative access, enabling local privilege escalation. This vulnerability has been identified by the vendor as: V-2024-010 — Hardcoded Linux Password. NOTE: The patch for this vulnerability is reported to be incomplete: /etc/shadow was remediated but /etc/sudoers remains vulnerable. | |||||
| CVE-2025-57579 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-10-02 | N/A | 8.0 HIGH |
| An issue in TOTOLINK Wi-Fi 6 Router Series Device X2000R-Gh-V2.0.0 allows a remote attacker to execute arbitrary code via the default password | |||||
| CVE-2025-0642 | 2025-10-02 | N/A | 6.3 MEDIUM | ||
| Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass.This issue affects Assist: through 10.02.2025. | |||||
| CVE-2025-7079 | 1 Mao888 | 1 Bluebell-plus | 2025-10-01 | 2.6 LOW | 3.7 LOW |
| A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the component JWT Token Handler. The manipulation of the argument mySecret with the input bluebell-plus leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2394 | 2025-09-30 | N/A | N/A | ||
| Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure. | |||||
| CVE-2024-41610 | 1 Dlink | 2 Dir-820lw, Dir-820lw Firmware | 2025-09-29 | N/A | 9.8 CRITICAL |
| D-Link DIR-820LW REVB FIRMWARE PATCH 2.03.B01_TC contains hardcoded credentials in the Telnet service, enabling attackers to log in remotely to the Telnet service and perform arbitrary commands. | |||||
| CVE-2025-11126 | 2025-09-29 | 10.0 HIGH | 9.8 CRITICAL | ||
| A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-41611 | 1 Dlink | 2 Dir-860l, Dir-860l Firmware | 2025-09-29 | N/A | 9.8 CRITICAL |
| In D-Link DIR-860L REVA FIRMWARE PATCH 1.10..B04, the Telnet service contains hardcoded credentials, enabling attackers to log in remotely to the Telnet service and perform arbitrary commands. | |||||
| CVE-2025-52159 | 1 Yandaozi | 1 Ppress | 2025-09-25 | N/A | 8.8 HIGH |
| Hardcoded credentials in default configuration of PPress 0.0.9. | |||||
| CVE-2025-57602 | 2025-09-23 | N/A | 9.8 CRITICAL | ||
| Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT devices. This can lead to remote code execution, information disclosure, and privilege escalation across customer environments. | |||||
| CVE-2025-57601 | 2025-09-23 | N/A | 9.8 CRITICAL | ||
| AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends this same static private key to the target device. The device then uses it to establish a reverse SSH tunnel to a remote access server, enabling browser-based SSH access for the administrator. Because the same `proxyuser` account and SSH key are reused across all customer environments: - An attacker who obtains the key (e.g., by intercepting it in transit, extracting it from the remote access server, or from a compromised admin account) can impersonate any managed device. - They can establish unauthorized reverse SSH tunnels and interact with devices without the owner's consent. This is a design flaw in the authentication model: compromise of a single key compromises the trust boundary between the controller and devices. | |||||
| CVE-2025-51536 | 1 Craws | 1 Openatlas | 2025-09-23 | N/A | 9.8 CRITICAL |
| Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password. | |||||
| CVE-2024-11147 | 1 Ecovacs | 28 Airbot Andy, Airbot Andy Firmware, Airbot Ava and 25 more | 2025-09-23 | N/A | 7.6 HIGH |
| ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root. | |||||
| CVE-2025-30200 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2025-09-23 | N/A | 6.3 MEDIUM |
| ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived. | |||||
| CVE-2025-30198 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2025-09-23 | N/A | 6.3 MEDIUM |
| ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived. | |||||
| CVE-2024-41794 | 1 Siemens | 2 7kt Pac1260 Data Manager, 7kt Pac1260 Data Manager Firmware | 2025-09-23 | N/A | 10.0 CRITICAL |
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This could allow unauthenticated remote attackers to gain full access to a device, if they are in possession of these credentials and if the ssh service is enabled (e.g., by exploitation of CVE-2024-41793). | |||||
| CVE-2025-58269 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager allows Retrieve Embedded Sensitive Data. This issue affects WP Project Manager: from n/a through 2.6.25. | |||||
| CVE-2025-58656 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Use of Hard-coded Credentials vulnerability in Risto Niinemets Estonian Shipping Methods for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects Estonian Shipping Methods for WooCommerce: from n/a through 1.7.2. | |||||
| CVE-2025-58659 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Use of Hard-coded Credentials vulnerability in Essekia Helpie FAQ allows Retrieve Embedded Sensitive Data. This issue affects Helpie FAQ: from n/a through 1.39. | |||||
| CVE-2024-9643 | 1 Four-faith | 2 F3x36, F3x36 Firmware | 2025-09-19 | N/A | 9.8 CRITICAL |
| The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645. | |||||