Total
1596 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3621 | 2025-07-15 | N/A | 9.6 CRITICAL | ||
| Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injection') * Use of Hard-coded Credentials * Improper Authentication * Binding to an Unrestricted IP Address The vulnerability has been rated as critical.This issue affects ActADUR: from v2.0.1.9 before v2.0.2.0., hence updating to version v2.0.2.0. or above is required. | |||||
| CVE-2024-29855 | 1 Veeam | 1 Recovery Orchestrator | 2025-07-14 | N/A | 9.0 CRITICAL |
| Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator | |||||
| CVE-2025-49551 | 1 Adobe | 1 Coldfusion | 2025-07-11 | N/A | 8.8 HIGH |
| ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses. | |||||
| CVE-2025-2765 | 1 Carlinkit | 2 Autokit, Cpc200-ccpa | 2025-07-11 | N/A | 8.8 HIGH |
| CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the wireless hotspot. The issue results from the use of hard-coded credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-24349. | |||||
| CVE-2024-5722 | 1 Logsign | 1 Unified Secops Platform | 2025-07-10 | N/A | 8.8 HIGH |
| Logsign Unified SecOps Platform HTTP API Hard-coded Cryptographic Key Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HTTP API. The issue results from using a hard-coded cryptographic key. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24170. | |||||
| CVE-2025-37103 | 2025-07-10 | N/A | 9.8 CRITICAL | ||
| Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system. | |||||
| CVE-2025-28230 | 1 Jmbroadcast | 2 Jmb0150, Jmb0150 Firmware | 2025-07-09 | N/A | 9.1 CRITICAL |
| Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials. | |||||
| CVE-2023-51588 | 1 Voltronicpower | 1 Viewpower | 2025-07-09 | N/A | 7.8 HIGH |
| Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower Pro. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of a MySQL instance. The issue results from hardcoded database credentials. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22075. | |||||
| CVE-2025-52492 | 2025-07-08 | N/A | 7.5 HIGH | ||
| A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services. | |||||
| CVE-2024-48192 | 1 Tenda | 2 G3, G3 Firmware | 2025-07-07 | N/A | 8.0 HIGH |
| Tenda G3 v15.01.0.5(2848_755)_EN was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root | |||||
| CVE-2024-28778 | 2 Ibm, Microsoft | 3 Cognos Controller, Controller, Windows | 2025-07-03 | N/A | 6.5 MEDIUM |
| IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization. | |||||
| CVE-2025-20309 | 1 Cisco | 1 Unified Communications Manager | 2025-07-03 | N/A | 10.0 CRITICAL |
| A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. | |||||
| CVE-2012-6428 | 1 Carlosgavazzi | 2 Eos-box Photovoltaic Monitoring System, Eos-box Photovoltaic Monitoring System Firmware | 2025-07-01 | 10.0 HIGH | N/A |
| The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access. | |||||
| CVE-2025-4378 | 2025-06-26 | N/A | 10.0 CRITICAL | ||
| Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass.This issue affects ATA-AOF Mobile Application: before 20.06.2025. | |||||
| CVE-2025-20188 | 1 Cisco | 1 Ios Xe | 2025-06-23 | N/A | 10.0 CRITICAL |
| A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges. | |||||
| CVE-2025-48748 | 1 Netwrix | 1 Directory Manager | 2025-06-23 | N/A | 10.0 CRITICAL |
| Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password. | |||||
| CVE-2024-22853 | 1 Dlink | 2 Go-rt-ac750, Go-rt-ac750 Firmware | 2025-06-20 | N/A | 9.8 CRITICAL |
| D-LINK Go-RT-AC750 GORTAC750_A1_FW_v101b03 has a hardcoded password for the Alphanetworks account, which allows remote attackers to obtain root access via a telnet session. | |||||
| CVE-2024-24324 | 1 Totolink | 2 A8000ru, A8000ru Firmware | 2025-06-20 | N/A | 9.8 CRITICAL |
| TOTOLINK A8000RU v7.1cu.643_B20200521 was discovered to contain a hardcoded password for root stored in /etc/shadow. | |||||
| CVE-2023-49256 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-20 | N/A | 7.5 HIGH |
| It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key. | |||||
| CVE-2023-49253 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-20 | N/A | 9.8 CRITICAL |
| Root user password is hardcoded into the device and cannot be changed in the user interface. | |||||