Vulnerabilities (CVE)

Filtered by CWE-798
Total 1704 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-33186 2026-06-17 N/A 8.8 HIGH
NVIDIA AIStore contains a vulnerability in AuthN. A successful exploit of this vulnerability might lead to escalation of privileges, information disclosure, and data tampering.
CVE-2025-33100 1 Ibm 1 Concert 2026-06-17 N/A 6.2 MEDIUM
IBM Concert Software 1.0.0 through 1.1.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
CVE-2025-33089 1 Ibm 1 Concert 2026-06-17 N/A 6.5 MEDIUM
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials.
CVE-2025-32985 1 Netscout 1 Ngeniusone 2026-06-17 N/A 9.8 CRITICAL
NETSCOUT nGeniusONE before 6.4.0 b2350 has Hardcoded Credentials that can be obtained from JAR files.
CVE-2025-32889 1 Gotenna 3 Gotenna, Mesh, Mesh Firmware 2026-06-17 N/A 7.3 HIGH
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The verification token used for sending SMS through a goTenna server is hardcoded in the app.
CVE-2025-32888 1 Gotenna 3 Gotenna, Mesh, Mesh Firmware 2026-06-17 N/A 7.3 HIGH
An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for sending SMS through a goTenna server is hardcoded in the app.
CVE-2025-31953 1 Hcltech 1 Dryice Iautomate 2026-06-17 N/A 7.1 HIGH
HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties.
CVE-2025-30406 1 Gladinet 1 Centrestack 2026-06-17 N/A 9.0 CRITICAL
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
CVE-2025-30200 1 Ecovacs 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more 2026-06-17 N/A 6.3 MEDIUM
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived.
CVE-2025-30198 1 Ecovacs 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more 2026-06-17 N/A 6.3 MEDIUM
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived.
CVE-2025-30137 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardcoded credentials that provide unauthorized access to the dashcam's API endpoints on ports 9091 and 9092. Once the GNET SSID is connected to, the attacker sends a crafted authentication command with TibetList and 000000 to list settings of the dashcam at port 9091. There's a separate set of credentials for port 9092 (stream) that is also exposed in cleartext: admin + tibet. For settings, the required credentials are adim + 000000.
CVE-2025-30125 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an insecure-by-default condition. For users who change their passwords, it's limited to 8 characters. These short passwords can be cracked in 8 hours via low-end commercial cloud resources.
CVE-2025-30123 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered on ROADCAM X3 devices. The mobile app APK (Viidure) contains hardcoded FTP credentials for the FTPX user account, enabling attackers to gain unauthorized access and extract sensitive recorded footage from the device.
CVE-2025-30122 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered on ROADCAM X3 devices. It has a uniform default credential set that cannot be modified by users, making it easy for attackers to gain unauthorized access to multiple devices.
CVE-2025-30118 2026-06-17 N/A 7.5 HIGH
An issue was discovered on the Audi Universal Traffic Recorder 2.88. It has Susceptibility to denial of service. It uses the same default credentials for all devices and does not implement proper multi-device authentication, allowing attackers to deny the owner access by occupying the only available connection. The SSID remains broadcast at all times, increasing exposure to potential attacks.
CVE-2025-30113 1 Hella 2 Dr 820, Dr 820 Firmware 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Hardcoded Credentials exist in the APK for Ports 9091 and 9092. The dashcam's Android application contains hardcoded credentials that allow unauthorized access to device settings through ports 9091 and 9092. These credentials, stored in cleartext, can be exploited by an attacker who gains access to the dashcam's network.
CVE-2025-30109 2026-06-17 N/A 6.5 MEDIUM
In the IROAD APK 5.2.5, there are Hardcoded Credentials in the APK for ports 9091 and 9092. The mobile application for the dashcam contains hardcoded credentials that allow an attacker on the local Wi-Fi network to access API endpoints and retrieve sensitive device information, including live and recorded footage.
CVE-2025-2765 1 Carlinkit 2 Autokit, Cpc200-ccpa 2026-06-17 N/A 8.8 HIGH
CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the wireless hotspot. The issue results from the use of hard-coded credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-24349.
CVE-2025-2556 2026-06-17 3.3 LOW 4.3 MEDIUM
A vulnerability classified as problematic was found in Audi UTR Dashcam 2.0. Affected by this vulnerability is an unknown functionality of the component Video Stream Handler. The manipulation leads to hard-coded credentials. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. Upgrading to version 2.89 and 2.90 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about these issues and acted very professional. Version 2.89 is fixing this issue for new customers and 2.90 is going to fix it for existing customers.
CVE-2025-2538 1 Esri 1 Portal For Arcgis 2026-06-17 N/A 9.8 CRITICAL
A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.