Total
1704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-33186 | 2026-06-17 | N/A | 8.8 HIGH | ||
| NVIDIA AIStore contains a vulnerability in AuthN. A successful exploit of this vulnerability might lead to escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-33100 | 1 Ibm | 1 Concert | 2026-06-17 | N/A | 6.2 MEDIUM |
| IBM Concert Software 1.0.0 through 1.1.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | |||||
| CVE-2025-33089 | 1 Ibm | 1 Concert | 2026-06-17 | N/A | 6.5 MEDIUM |
| IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials. | |||||
| CVE-2025-32985 | 1 Netscout | 1 Ngeniusone | 2026-06-17 | N/A | 9.8 CRITICAL |
| NETSCOUT nGeniusONE before 6.4.0 b2350 has Hardcoded Credentials that can be obtained from JAR files. | |||||
| CVE-2025-32889 | 1 Gotenna | 3 Gotenna, Mesh, Mesh Firmware | 2026-06-17 | N/A | 7.3 HIGH |
| An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The verification token used for sending SMS through a goTenna server is hardcoded in the app. | |||||
| CVE-2025-32888 | 1 Gotenna | 3 Gotenna, Mesh, Mesh Firmware | 2026-06-17 | N/A | 7.3 HIGH |
| An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for sending SMS through a goTenna server is hardcoded in the app. | |||||
| CVE-2025-31953 | 1 Hcltech | 1 Dryice Iautomate | 2026-06-17 | N/A | 7.1 HIGH |
| HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties. | |||||
| CVE-2025-30406 | 1 Gladinet | 1 Centrestack | 2026-06-17 | N/A | 9.0 CRITICAL |
| Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config. | |||||
| CVE-2025-30200 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2026-06-17 | N/A | 6.3 MEDIUM |
| ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived. | |||||
| CVE-2025-30198 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2026-06-17 | N/A | 6.3 MEDIUM |
| ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived. | |||||
| CVE-2025-30137 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in the G-Net GNET APK 2.6.2. Hardcoded credentials exist in in APK for ports 9091 and 9092. The GNET mobile application contains hardcoded credentials that provide unauthorized access to the dashcam's API endpoints on ports 9091 and 9092. Once the GNET SSID is connected to, the attacker sends a crafted authentication command with TibetList and 000000 to list settings of the dashcam at port 9091. There's a separate set of credentials for port 9092 (stream) that is also exposed in cleartext: admin + tibet. For settings, the required credentials are adim + 000000. | |||||
| CVE-2025-30125 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an insecure-by-default condition. For users who change their passwords, it's limited to 8 characters. These short passwords can be cracked in 8 hours via low-end commercial cloud resources. | |||||
| CVE-2025-30123 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An issue was discovered on ROADCAM X3 devices. The mobile app APK (Viidure) contains hardcoded FTP credentials for the FTPX user account, enabling attackers to gain unauthorized access and extract sensitive recorded footage from the device. | |||||
| CVE-2025-30122 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An issue was discovered on ROADCAM X3 devices. It has a uniform default credential set that cannot be modified by users, making it easy for attackers to gain unauthorized access to multiple devices. | |||||
| CVE-2025-30118 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An issue was discovered on the Audi Universal Traffic Recorder 2.88. It has Susceptibility to denial of service. It uses the same default credentials for all devices and does not implement proper multi-device authentication, allowing attackers to deny the owner access by occupying the only available connection. The SSID remains broadcast at all times, increasing exposure to potential attacks. | |||||
| CVE-2025-30113 | 1 Hella | 2 Dr 820, Dr 820 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Hardcoded Credentials exist in the APK for Ports 9091 and 9092. The dashcam's Android application contains hardcoded credentials that allow unauthorized access to device settings through ports 9091 and 9092. These credentials, stored in cleartext, can be exploited by an attacker who gains access to the dashcam's network. | |||||
| CVE-2025-30109 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| In the IROAD APK 5.2.5, there are Hardcoded Credentials in the APK for ports 9091 and 9092. The mobile application for the dashcam contains hardcoded credentials that allow an attacker on the local Wi-Fi network to access API endpoints and retrieve sensitive device information, including live and recorded footage. | |||||
| CVE-2025-2765 | 1 Carlinkit | 2 Autokit, Cpc200-ccpa | 2026-06-17 | N/A | 8.8 HIGH |
| CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the wireless hotspot. The issue results from the use of hard-coded credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-24349. | |||||
| CVE-2025-2556 | 2026-06-17 | 3.3 LOW | 4.3 MEDIUM | ||
| A vulnerability classified as problematic was found in Audi UTR Dashcam 2.0. Affected by this vulnerability is an unknown functionality of the component Video Stream Handler. The manipulation leads to hard-coded credentials. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. Upgrading to version 2.89 and 2.90 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about these issues and acted very professional. Version 2.89 is fixing this issue for new customers and 2.90 is going to fix it for existing customers. | |||||
| CVE-2025-2538 | 1 Esri | 1 Portal For Arcgis | 2026-06-17 | N/A | 9.8 CRITICAL |
| A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system. | |||||
