Vulnerabilities (CVE)

Filtered by CWE-798
Total 1704 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-40464 1 Sierrawireless 8 Aleos, Es450, Gx450 and 5 more 2026-06-17 N/A 8.1 HIGH
Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server.
CVE-2023-40463 1 Sierrawireless 8 Aleos, Es450, Gx450 and 5 more 2026-06-17 N/A 8.1 HIGH
When configured in debugging mode by an authenticated user with administrative privileges, ALEOS 4.16 and earlier store the SHA512 hash of the common root password for that version in a directory accessible to a user with root privileges or equivalent access.
CVE-2023-40300 1 Netscout 1 Ngeniuspulse 2026-06-17 N/A 9.8 CRITICAL
NETSCOUT nGeniusPULSE 3.8 has a Hardcoded Cryptographic Key.
CVE-2023-40236 1 Pexip 1 Virtual Meeting Rooms 2026-06-17 N/A 5.3 MEDIUM
In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.
CVE-2023-40146 1 Peplink 2 Smart Reader, Smart Reader Firmware 2026-06-17 N/A 6.8 MEDIUM
A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can authenticate with hard-coded credentials and execute unblocked default busybox functionality to trigger this vulnerability.
CVE-2023-3264 2 Cyberpower, Dataprobe 45 Powerpanel Server, Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware and 42 more 2026-06-17 N/A 6.7 MEDIUM
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database. A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records.
CVE-2023-3262 1 Dataprobe 44 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 41 more 2026-06-17 N/A 6.7 MEDIUM
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database.A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records.
CVE-2023-3237 1 Otcms 1 Otcms 2026-06-17 5.8 MEDIUM 6.3 MEDIUM
A vulnerability classified as critical was found in OTCMS up to 6.62. This vulnerability affects unknown code. The manipulation of the argument username/password with the input admin leads to use of hard-coded password. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231508.
CVE-2023-39982 1 Moxa 1 Mxsecurity 2026-06-17 N/A 7.5 HIGH
A vulnerability has been identified in MXsecurity versions prior to v1.0.1. The vulnerability may put the confidentiality and integrity of SSH communications at risk on the affected device. This vulnerability is attributed to a hard-coded SSH host key, which might facilitate man-in-the-middle attacks and enable the decryption of SSH traffic.
CVE-2023-39808 1 Nvki 1 Intelligent Broadband Subscriber Gateway 2026-06-17 N/A 9.8 CRITICAL
N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a hardcoded root password which allows attackers to login with root privileges via the SSH service.
CVE-2023-39482 1 Softing 3 Edgeaggregator, Edgeconnector, Secure Integration Server 2026-06-17 N/A 6.5 MEDIUM
Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within libopcuaclient.so. The issue results from hardcoding crytographic keys within the product. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-20610.
CVE-2023-39458 1 Trianglemicroworks 1 Scada Data Gateway 2026-06-17 N/A 5.3 MEDIUM
Triangle MicroWorks SCADA Data Gateway Use of Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of certificates. The service uses a hard-coded default SSL certificate. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20509.
CVE-2023-39422 1 Resortdata 1 Internet Reservation Module Next Generation 2026-06-17 N/A 6.5 MEDIUM
The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless.
CVE-2023-39421 1 Resortdata 1 Internet Reservation Module Next Generation 2026-06-17 N/A 7.7 HIGH
The RDPWin.dll component as used in the IRM Next Generation booking engine includes a set of hardcoded API keys for third-party services such as Twilio and Vonage. These keys allow unrestricted interaction with these services.
CVE-2023-39420 1 Resortdata 1 Internet Reservation Module Next Generation 2026-06-17 N/A 9.9 CRITICAL
The RDPCore.dll component as used in the IRM Next Generation booking engine, allows a remote user to connect to customers with an "admin" account and a corresponding password computed daily by a routine inside the DLL file. Once reverse-engineered, this routine can help an attacker generate the daily password and connect to application customers. Given that this is an administrative account, anyone logging into a customer deployment has full, unrestricted access to the application.
CVE-2023-39169 1 Enbw 2 Senec Storage Box, Senec Storage Box Firmware 2026-06-17 N/A 9.8 CRITICAL
The affected devices use publicly available default credentials with administrative privileges.
CVE-2023-38995 1 Schuhfried 1 Schuhfried 2026-06-17 N/A 9.8 CRITICAL
An issue in SCHUHFRIED v.8.22.00 allows remote attacker to obtain the database password via crafted curl command.
CVE-2023-38535 1 Opentext 1 Exceed Turbox 2026-06-17 N/A 4.7 MEDIUM
Use of Hard-coded Cryptographic Key vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys.  
CVE-2023-38433 1 Fujitsu 22 Ip-90, Ip-900d, Ip-900d Firmware and 19 more 2026-06-17 N/A 7.5 HIGH
Fujitsu Real-time Video Transmission Gear "IP series" use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. Affected products and versions are as follows: IP-HE950E firmware versions V01L001 to V01L053, IP-HE950D firmware versions V01L001 to V01L053, IP-HE900E firmware versions V01L001 to V01L010, IP-HE900D firmware versions V01L001 to V01L004, IP-900E / IP-920E firmware versions V01L001 to V02L061, IP-900D / IP-900?D / IP-920D firmware versions V01L001 to V02L061, IP-90 firmware versions V01L001 to V01L013, and IP-9610 firmware versions V01L001 to V02L007.
CVE-2023-38026 1 Myspotcam 2 Fhd 2, Fhd 2 Firmware 2026-06-17 N/A 9.8 CRITICAL
SpotCam Co., Ltd. SpotCam FHD 2 has a vulnerability of using hard-coded uBoot credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service.