Total
1522 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64778 | 2025-12-04 | N/A | 7.3 HIGH | ||
| NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database. | |||||
| CVE-2024-45656 | 1 Ibm | 56 Ess 5000 \(5105-22e\), Ess 5000 \(5105-22e\) Firmware, Power System E1080 \(9080-hex\) and 53 more | 2025-12-03 | N/A | 9.8 CRITICAL |
| IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP. | |||||
| CVE-2024-23687 | 1 Openlibraryfoundation | 1 Mod-data-export-spring | 2025-11-29 | N/A | 9.1 CRITICAL |
| Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines. | |||||
| CVE-2024-23685 | 1 Openlibraryfoundation | 1 Mod-remote-storage | 2025-11-29 | N/A | 5.3 MEDIUM |
| Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types. | |||||
| CVE-2025-63433 | 1 Xtooltech | 1 Xtool Anyscan | 2025-11-28 | N/A | 4.6 MEDIUM |
| Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package. | |||||
| CVE-2018-25126 | 2025-11-25 | N/A | N/A | ||
| Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC. | |||||
| CVE-2025-34034 | 1 5vtechnologies | 1 Blue Angel Software Suite | 2025-11-20 | N/A | 8.8 HIGH |
| A hardcoded credential vulnerability exists in the Blue Angel Software Suite deployed on embedded Linux systems. The application contains multiple known default and hardcoded user accounts that are not disclosed in public documentation. These accounts allow unauthenticated or low-privilege attackers to gain administrative access to the device’s web interface. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-26 UTC. | |||||
| CVE-2025-59669 | 1 Fortinet | 1 Fortiweb | 2025-11-20 | N/A | 5.3 MEDIUM |
| A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with shell access to the device to connect to redis service and access its data | |||||
| CVE-2025-64766 | 2025-11-18 | N/A | 5.3 MEDIUM | ||
| NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an existing revision ID could use this secret to obtain a document. In practice, an arbitrary revision ID should be hard to obtain. The primary impact is likely the access to known documents from users with expired access. This issue was resolved in NixOS unstable version 25.11 and version 25.05. | |||||
| CVE-2025-13252 | 2025-11-18 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Affected by this issue is some unknown functionality of the component RSA/OAuth2/Database. The manipulation results in hard-coded credentials. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. | |||||
| CVE-2025-26398 | 1 Solarwinds | 1 Database Performance Analyzer | 2025-11-17 | N/A | 5.6 MEDIUM |
| SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This vulnerability requires additional software not installed by default, local access to the server and administrator level privileges on the host. | |||||
| CVE-2025-42890 | 2025-11-12 | N/A | 10.0 CRITICAL | ||
| SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. | |||||
| CVE-2025-33186 | 2025-11-12 | N/A | 8.8 HIGH | ||
| NVIDIA AIStore contains a vulnerability in AuthN. A successful exploit of this vulnerability might lead to escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2021-44207 | 1 Acclaimsystems | 1 Usaherds | 2025-11-10 | 6.8 MEDIUM | 8.1 HIGH |
| Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials. | |||||
| CVE-2020-8657 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2025-11-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. | |||||
| CVE-2022-29830 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-11-07 | N/A | 9.1 CRITICAL |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z, and Motion Control Setting(GX Works3 related software) versions from 1.000A to 1.065T allows a remote unauthenticated attacker to disclose or tamper with sensitive information. As a result, unauthenticated attackers may obtain information about project files illegally. | |||||
| CVE-2022-29829 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-11-07 | N/A | 6.8 MEDIUM |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, Motion Control Setting(GX Works3 related software) versions from 1.035M to 1.042U, and MT Works2 versions from 1.100E to 1.200J allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | |||||
| CVE-2022-29825 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-11-07 | N/A | 5.6 MEDIUM |
| Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, and MT Works2 versions from 1.100E to 1.200J allows an unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | |||||
| CVE-2024-5764 | 1 Sonatype | 1 Nexus Repository Manager | 2025-11-06 | N/A | 6.5 MEDIUM |
| Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated. This issue affects Nexus Repository: from 3.0.0 through 3.72.0. | |||||
| CVE-2025-30406 | 1 Gladinet | 1 Centrestack | 2025-11-05 | N/A | 9.0 CRITICAL |
| Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config. | |||||