Total
1704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46274 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database. | |||||
| CVE-2025-46273 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices. | |||||
| CVE-2025-45813 | 1 Enensys | 2 Ipguardv2, Ipguardv2 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| ENENSYS IPGuard v2 2.10.0 was discovered to contain hardcoded credentials. | |||||
| CVE-2025-45784 | 1 Dlink | 4 Dph-400s, Dph-400s Firmware, Dph-400se and 1 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| D-Link DPH-400S/SE VoIP Phone v1.01 contains hardcoded provisioning variables, including PROVIS_USER_PASSWORD, which may expose sensitive user credentials. An attacker with access to the firmware image can extract these credentials using static analysis tools such as strings or xxd, potentially leading to unauthorized access to device functions or user accounts. This vulnerability exists due to insecure storage of sensitive information in the firmware binary. | |||||
| CVE-2025-45746 | 1 Zkteco | 1 Zkbio Cvsecurity | 2026-06-17 | N/A | 6.5 MEDIUM |
| In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform. | |||||
| CVE-2025-45466 | 1 Unitree | 2 Go1, Go1 Firmware | 2026-06-17 | N/A | 8.8 HIGH |
| Unitree Go1 <= Go1_2022_05_11 is vulnerale to Incorrect Access Control due to authentication credentials being hardcoded in plaintext. | |||||
| CVE-2025-44643 | 2026-06-17 | N/A | 8.6 HIGH | ||
| Certain Draytek products are affected by Insecure Configuration. This affects AP903 v1.4.18 and AP912C v1.4.9 and AP918R v1.4.9. The setting of the password property in the ripd.conf configuration file sets a hardcoded weak password, posing a security risk. An attacker with network access could exploit this to gain unauthorized control over the routing daemon, potentially altering network routes or intercepting traffic. | |||||
| CVE-2025-43982 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI. | |||||
| CVE-2025-42890 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. | |||||
| CVE-2025-41722 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices. | |||||
| CVE-2025-41710 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges. | |||||
| CVE-2025-41696 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2026-06-17 | N/A | 4.6 MEDIUM |
| An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device. | |||||
| CVE-2025-41380 | 2026-06-17 | N/A | N/A | ||
| Iridium Certus 700 version 1.0.1 has an embedded credentials vulnerability in the code. This vulnerability allows a local user to retrieve the SSH hash string. | |||||
| CVE-2025-41109 | 1 Ghostrobotics | 2 Vision 60, Vision 60 Firmware | 2026-06-17 | N/A | 4.6 MEDIUM |
| Ghost Robotics Vision 60 v0.27.2 includes, among its physical interfaces, three RJ45 connectors and a USB Type-C port. The vulnerability is due to the lack of authentication mechanisms when establishing connections through these ports. Specifically, with regard to network connectivity, the robot's internal router automatically assigns IP addresses to any device physically connected to it. An attacker could connect a WiFi access point under their control to gain access to the robot's network without needing the credentials for the deployed network. Once inside, the attacker can monitor all its data, as the robot runs on ROS 2 without authentication by default. | |||||
| CVE-2025-40938 | 1 Siemens | 2 Simatic Cn 4100, Simatic Cn 4100 Firmware | 2026-06-17 | N/A | 8.1 HIGH |
| A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device stores sensitive information in the firmware. This could allow an attacker to access and misuse this information, potentially impacting the device’s confidentiality, integrity, and availability. | |||||
| CVE-2025-40537 | 1 Solarwinds | 1 Web Help Desk | 2026-06-17 | N/A | 7.5 HIGH |
| SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | |||||
| CVE-2025-3831 | 1 Checkpoint | 1 Harmony Sase | 2026-06-17 | N/A | 8.1 HIGH |
| Log files uploaded during troubleshooting by the Harmony SASE agent may have been accessible to unauthorized parties. | |||||
| CVE-2025-3621 | 2026-06-17 | N/A | 9.6 CRITICAL | ||
| Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injection') * Use of Hard-coded Credentials * Improper Authentication * Binding to an Unrestricted IP Address The vulnerability has been rated as critical.This issue affects ActADUR: from v2.0.1.9 before v2.0.2.0., hence updating to version v2.0.2.0. or above is required. | |||||
| CVE-2025-3426 | 2026-06-17 | N/A | N/A | ||
| We observed that Intellispace Portal binaries doesn’t have any protection mechanisms to prevent reverse engineering. Specifically, the app’s code is not obfuscated, and no measures are in place to protect against decompilation, disassembly, or debugging. As a result, attackers can reverse-engineer the application to gain insights into its internal workings, which can potentially lead to the discovery of sensitive information, business logic flaws, and other vulnerabilities. Utilizing this flaw, the attacker was able to identify the Hardcoded credentials from PortalUsersDatabase.dll, which contains .NET remoting definition. Inside the namespace PortalUsersDatabase, the class Users contains the functions CreateAdmin and CreateService that are used to initialize accounts in the Portal service. Both CreateAdmin and CreateService functions contain a hardcoded encrypted password along with its respective salt that are set with the function SetInitialPasswordAndSalt. This issue affects IntelliSpace Portal: 12 and prior; Advanced Visualization Workspace: 15. | |||||
| CVE-2025-3321 | 2026-06-17 | N/A | N/A | ||
| A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server. | |||||
