Vulnerabilities (CVE)

Filtered by CWE-798
Total 1396 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-9229 1 Audiocodes 8 Median 500-msbr, Median 500-msbr Firmware, Median 500l-msbr and 5 more 2024-11-21 5.8 MEDIUM 8.8 HIGH
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can authenticate with the default 1234 password that cannot be changed, and can execute malicious and unauthorized actions.
CVE-2019-9160 1 Xinruidz 2 Sundray Wan Controller, Sundray Wan Controller Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string).
CVE-2019-8950 1 Dasannetworks 2 H665, H665 Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
CVE-2019-8352 1 Bmc 1 Patrol Agent 2024-11-21 7.5 HIGH 9.8 CRITICAL
By default, BMC PATROL Agent through 11.3.01 uses a static encryption key for encrypting/decrypting user credentials sent over the network to managed PATROL Agent services. If an attacker were able to capture this network traffic, they could decrypt these credentials and use them to execute code or escalate privileges on the network.
CVE-2019-7672 1 Primasystems 1 Flexair 2024-11-21 6.5 MEDIUM 8.8 HIGH
Prima Systems FlexAir, Versions 2.3.38 and prior. The flash version of the web interface contains a hard-coded username and password, which may allow an authenticated attacker to escalate privileges.
CVE-2019-7594 1 Johnsoncontrols 1 Metasys System 2024-11-21 6.4 MEDIUM 6.8 MEDIUM
Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).
CVE-2019-7593 1 Johnsoncontrols 1 Metasys System 2024-11-21 6.4 MEDIUM 6.8 MEDIUM
Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
CVE-2019-7279 1 Optergy 2 Enterprise, Proton 2024-11-21 7.5 HIGH 7.3 HIGH
Optergy Proton/Enterprise devices have Hard-coded Credentials.
CVE-2019-7265 1 Nortekcontrol 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more 2024-11-21 10.0 HIGH 9.8 CRITICAL
Linear eMerge E3-Series devices allow Remote Code Execution (root access over SSH).
CVE-2019-7261 1 Nortekcontrol 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more 2024-11-21 10.0 HIGH 9.8 CRITICAL
Linear eMerge E3-Series devices have Hard-coded Credentials.
CVE-2019-7225 1 Abb 32 Cp620, Cp620-web, Cp620-web Firmware and 29 more 2024-11-21 5.8 MEDIUM 8.8 HIGH
The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are the idal123 password for the IdalMaster account, and the exor password for the exor account. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device. This affects ABB CP635 HMI, CP600 HMIClient, Panel Builder 600, IDAL FTP server, IDAL HTTP server, and multiple other HMI components.
CVE-2019-7212 1 Smartertools 1 Smartermail 2024-11-21 6.4 MEDIUM 8.2 HIGH
SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users’ emails and file attachments. It was also possible to interact with mailing lists.
CVE-2019-6859 1 Schneider-electric 20 140 Cpu6x, 140 Cpu6x Firmware, 140 Noc 77101 and 17 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
A CWE-798: Use of Hardcoded Credentials vulnerability exists in Modicon Controllers (All versions of the following CPUs and Communication Module product references listed in the Security Notifications), which could cause the disclosure of FTP hardcoded credentials when using the Web server of the controller on an unsecure network.
CVE-2019-6812 1 Schneider-electric 2 Bmx-nor-0200h, Bmx-nor-0200h Firmware 2024-11-21 4.0 MEDIUM 7.2 HIGH
A CWE-798 use of hardcoded credentials vulnerability exists in BMX-NOR-0200H with firmware versions prior to V1.7 IR 19 which could cause a confidentiality issue when using FTP protocol.
CVE-2019-6725 1 Zyxel 2 P-660hn-t1, P-660hn-t1 Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
The rpWLANRedirect.asp ASP page is accessible without authentication on ZyXEL P-660HN-T1 V2 (2.00(AAKK.3)) devices. After accessing the page, the admin user's password can be obtained by viewing the HTML source code, and the interface of the modem can be accessed as admin.
CVE-2019-6698 1 Fortinet 4 Fortirecorder 100d, Fortirecorder 200d, Fortirecorder 400d and 1 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
Use of Hard-coded Credentials vulnerability in FortiRecorder all versions below 2.7.4 may allow an unauthenticated attacker with knowledge of the aforementioned credentials and network access to FortiCameras to take control of those, provided they are managed by a FortiRecorder device.
CVE-2019-6572 1 Siemens 22 Simatic Hmi Comfort Outdoor Panels, Simatic Hmi Comfort Outdoor Panels Firmware, Simatic Hmi Comfort Panels and 19 more 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Professional (All versions < V15.1 Update 1), SIMATIC WinCC (TIA Portal) (All versions < V15.1 Update 1), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The affected device offered SNMP read and write capacities with a publicly know hardcoded community string. The security vulnerability could be exploited by an attacker with network access to the affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known.
CVE-2019-6548 1 Ge 1 Ge Communicator 2024-11-21 6.8 MEDIUM 9.8 CRITICAL
GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may allow control over the database. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.
CVE-2019-6499 1 Teradata 1 Viewpoint 2024-11-21 9.3 HIGH 8.1 HIGH
Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.
CVE-2019-5622 1 Accellion 1 File Transfer Appliance 2024-11-21 7.5 HIGH 9.8 CRITICAL
Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-798: Use of Hard-coded Credentials.