Total
1423 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-8974 | 2025-08-15 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the argument SECRET with the input X-Litemall-Token leads to hard-coded credentials. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5751 | 1 Wolfbox | 2 Level 2 Ev Charger, Level 2 Ev Charger Firmware | 2025-08-14 | N/A | 6.8 MEDIUM |
| WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of management cards. The issue results from the lack of personalization of management cards. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26292. | |||||
| CVE-2025-43982 | 2025-08-14 | N/A | 9.8 CRITICAL | ||
| Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI. | |||||
| CVE-2025-3831 | 2025-08-13 | N/A | 8.1 HIGH | ||
| Log files uploaded during troubleshooting by the Harmony SASE agent may have been accessible to unauthorized parties. | |||||
| CVE-2025-55279 | 2025-08-13 | N/A | N/A | ||
| This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve private key stored in the firmware of the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the targeted device. | |||||
| CVE-2025-54465 | 2025-08-13 | N/A | N/A | ||
| This vulnerability exists in ZKTeco WL20 due to hard-coded MQTT credentials and endpoints stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve the hard-coded MQTT credentials and endpoints from the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the MQTT broker and manipulate the communications of the targeted device. | |||||
| CVE-2025-4876 | 1 Connectwise | 1 Risk Assessment | 2025-08-13 | N/A | 6.0 MEDIUM |
| ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic operations without dynamic key management. Once obtained the key can be used to decrypt CSV input filesĀ used for authenticated network scanning. | |||||
| CVE-2023-39482 | 1 Softing | 3 Edgeaggregator, Edgeconnector, Secure Integration Server | 2025-08-12 | N/A | 6.5 MEDIUM |
| Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within libopcuaclient.so. The issue results from hardcoding crytographic keys within the product. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-20610. | |||||
| CVE-2025-26398 | 2025-08-12 | N/A | 5.6 MEDIUM | ||
| SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This vulnerability requires additional software not installed by default, local access to the server and administrator level privileges on the host. | |||||
| CVE-2025-8730 | 2025-08-08 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7768 | 2025-08-07 | N/A | N/A | ||
| Tigo Energy's Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms. | |||||
| CVE-2024-1039 | 1 Gesslergmbh | 2 Web-master, Web-master Firmware | 2025-08-07 | N/A | 9.8 CRITICAL |
| Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device. | |||||
| CVE-2023-44411 | 1 Dlink | 1 D-view 8 | 2025-08-07 | N/A | 9.8 CRITICAL |
| D-Link D-View InstallApplication Use of Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the InstallApplication class. The class contains a hard-coded password for the remotely reachable database. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19553. | |||||
| CVE-2025-54872 | 2025-08-06 | N/A | N/A | ||
| onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd. | |||||
| CVE-2025-8231 | 1 Dlink | 2 Dir-890l, Dir-890l Firmware | 2025-08-06 | 7.2 HIGH | 6.8 MEDIUM |
| A vulnerability, which was classified as critical, has been found in D-Link DIR-890L up to 111b04. This issue affects some unknown processing of the file rgbin of the component UART Port. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-51536 | 2025-08-05 | N/A | 9.8 CRITICAL | ||
| Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password. | |||||
| CVE-2025-44643 | 2025-08-05 | N/A | 8.6 HIGH | ||
| Certain Draytek products are affected by Insecure Configuration. This affects AP903 v1.4.18 and AP912C v1.4.9 and AP918R v1.4.9. The setting of the password property in the ripd.conf configuration file sets a hardcoded weak password, posing a security risk. An attacker with network access could exploit this to gain unauthorized control over the routing daemon, potentially altering network routes or intercepting traffic. | |||||
| CVE-2025-37112 | 2025-08-04 | N/A | 6.0 MEDIUM | ||
| A vulnerability was discovered in the storage policy for certain sets of encryption keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information. | |||||
| CVE-2025-37111 | 2025-08-04 | N/A | 6.0 MEDIUM | ||
| A vulnerability was discovered in the storage policy for certain sets of authentication keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information. | |||||
| CVE-2025-52363 | 1 Tenda | 2 Cp3 Pro, Cp3 Pro Firmware | 2025-08-02 | N/A | 6.8 MEDIUM |
| Tenda CP3 Pro Firmware V22.5.4.93 contains a hardcoded root password hash in the /etc/passwd file and /etc/passwd-. An attacker with access to the firmware image can extract and attempt to crack the root password hash, potentially obtaining administrative access | |||||