Vulnerabilities (CVE)

Filtered by CWE-798
Total 1192 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-47213 1 C-first 56 Cfr-1004ea, Cfr-1004ea Firmware, Cfr-1008ea and 53 more 2024-10-21 N/A 9.8 CRITICAL
First Corporation's DVRs use a hard-coded password, which may allow a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround.
CVE-2024-4740 1 Moxa 1 Mxsecurity 2024-10-18 N/A 7.5 HIGH
MXsecurity software versions v1.1.0 and prior are vulnerable because of the use of hard-coded credentials. This vulnerability could allow an attacker to tamper with sensitive data.
CVE-2024-48192 2024-10-18 N/A 8.0 HIGH
Tenda G3 v15.01.0.5(2848_755)_EN was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root
CVE-2024-10025 2024-10-18 N/A 9.1 CRITICAL
A vulnerability in the .sdd file allows an attacker to read default passwords stored in plain text within the code. By exploiting these plaintext credentials, an attacker can log into affected SICK products as an “Authorized Client” if the customer has not changed the default password.
CVE-2024-45275 2 Helmholz, Mbconnectline 4 Rex 100, Rex 100 Firmware, Mbnet.mini and 1 more 2024-10-17 N/A 9.8 CRITICAL
The devices contain two hard coded user accounts with hardcoded passwords that allow an unauthenticated remote attacker for full control of the affected devices.
CVE-2024-28987 1 Solarwinds 1 Web Help Desk 2024-10-16 N/A 9.1 CRITICAL
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
CVE-2024-45698 1 Dlink 2 Dir-x4860, Dir-x4860 Firmware 2024-10-15 N/A 9.8 CRITICAL
Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can then be executed on the device.
CVE-2023-48392 1 Kaifa 1 Webitr Attendance System 2024-10-14 N/A 9.8 CRITICAL
Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information.
CVE-2023-49256 1 Hongdian 2 H8951-4g-esp, H8951-4g-esp Firmware 2024-10-10 N/A 7.5 HIGH
It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key.
CVE-2024-7206 2024-10-10 N/A N/A
SSL Pinning Bypass in eWeLink Some hardware products allows local ATTACKER to Decrypt TLS communication and Extract secrets to clone the device via Flash the modified firmware
CVE-2023-40300 1 Netscout 1 Ngeniuspulse 2024-10-09 N/A 9.8 CRITICAL
NETSCOUT nGeniusPULSE 3.8 has a Hardcoded Cryptographic Key.
CVE-2024-8450 1 Planet 4 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 1 more 2024-10-04 N/A 9.8 CRITICAL
Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges.
CVE-2024-8449 1 Planet 4 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 1 more 2024-10-04 N/A 6.8 MEDIUM
Certain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user's password.
CVE-2024-8448 1 Planet 4 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 1 more 2024-10-04 N/A 8.8 HIGH
Certain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell.
CVE-2024-28812 2024-10-04 N/A 8.8 HIGH
An issue was discovered in Infinera hiT 7300 5.60.50. A hidden SSH service (on the local management network interface) with hardcoded credentials allows attackers to access the appliance operating system (with highest privileges) via an SSH connection.
CVE-2024-28809 2024-10-04 N/A 8.8 HIGH
An issue was discovered in Infinera hiT 7300 5.60.50. Cleartext storage of sensitive password in firmware update packages allows attackers to access various appliance services via hardcoded credentials.
CVE-2024-23958 1 Autel 2 Maxicharger Ac Elite Business C50, Maxicharger Ac Elite Business C50 Firmware 2024-10-03 N/A 8.8 HIGH
Autel MaxiCharger AC Elite Business C50 BLE Hardcoded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Elite Business C50 charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the BLE AppAuthenRequest command handler. The handler uses hardcoded credentials as a fallback in case of an authentication request failure. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-23196
CVE-2024-38281 1 Motorola 2 Vigilant Fixed Lpr Coms Box, Vigilant Fixed Lpr Coms Box Firmware 2024-10-03 N/A 9.8 CRITICAL
An attacker can access the maintenance console using hard coded credentials for a hidden wireless network on the device.
CVE-2024-43423 1 Doverfuelingsolutions 4 Progauge Maglink Lx4 Console, Progauge Maglink Lx4 Console Firmware, Progauge Maglink Lx Console and 1 more 2024-10-01 N/A 9.8 CRITICAL
The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed.
CVE-2023-46919 1 Fedirtsapana 2 Simple Http Server, Simple Http Server Plus 2024-10-01 N/A 6.3 MEDIUM
Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K (AES) encryption key. An attacker with physical access to the application's source code or binary can extract this key & use it decrypt the TLS secret.