Total
1442 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-42638 | 1 H3c | 2 Magic B1st, Magic B1st Firmware | 2025-03-17 | 9.8 Critical |
| H3C Magic B1ST v100R012 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. | ||||
| CVE-2025-1724 | 2025-03-17 | 7.4 High | ||
| Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token. | ||||
| CVE-2025-2342 | 2025-03-17 | 5.3 Medium | ||
| A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2343 | 2025-03-17 | 7.5 High | ||
| A vulnerability classified as critical was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this vulnerability is an unknown functionality of the component Device Pairing. The manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-46637 | 1 Prolink2u | 2 Prs1841, Prs1841 Firmware | 2025-03-14 | 9.8 Critical |
| Prolink router PRS1841 was discovered to contain hardcoded credentials for its Telnet and FTP services. | ||||
| CVE-2024-0390 | 1 Inprax | 1 Izzi Connect | 2025-03-13 | 6.2 Medium |
| INPRAX "iZZi connect" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit "reQnet iZZi".This issue affects "iZZi connect" application versions before 2024010401. | ||||
| CVE-2024-33895 | 1 Hms-networks | 7 Ewon Cosy\+ 4g Apac, Ewon Cosy\+ 4g Eu, Ewon Cosy\+ 4g Jp and 4 more | 2025-03-13 | 6.6 Medium |
| Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 use a unique key to encrypt the configuration parameters. This is fixed in version 21.2s10 and 22.1s3, the key is now unique per device. | ||||
| CVE-2024-33329 | 1 Lumis | 1 Lumis Experience Platform | 2025-03-13 | 7.5 High |
| A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information. | ||||
| CVE-2024-48007 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2025-03-13 | 5.3 Medium |
| Dell RecoverPoint for Virtual Machines 6.0.x contains use of hard-coded credentials vulnerability. A Remote unauthenticated attacker could potentially exploit this vulnerability by gaining access to the source code, easily retrieving these secrets and reusing them to access the system leading to gaining access to unauthorized data. | ||||
| CVE-2024-3130 | 1 Coolkit | 1 Ewelink App | 2025-03-12 | 5.7 Medium |
| Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app | ||||
| CVE-2023-26462 | 1 Thingsboard | 1 Thingsboard | 2025-03-12 | 8.1 High |
| ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.) | ||||
| CVE-2025-27255 | 2025-03-12 | 8 High | ||
| Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code. | ||||
| CVE-2023-22463 | 1 Fit2cloud | 1 Kubepi | 2025-03-10 | 9.8 Critical |
| KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading. | ||||
| CVE-2023-22495 | 1 Maif | 1 Izanami | 2025-03-10 | 9.8 Critical |
| Izanami is a shared configuration service well-suited for micro-service architecture implementation. Attackers can bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is used to sign the authentication token (JWT), an attacker could compromise another instance of Izanami. This issue has been patched in version 1.11.0. | ||||
| CVE-2023-25823 | 1 Gradio Project | 1 Gradio | 2025-03-10 | 5.4 Medium |
| Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested. | ||||
| CVE-2024-27774 | 1 Unitronics | 1 Unilogic | 2025-03-10 | 7.5 High |
| Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-259: Use of Hard-coded Password may allow disclosing Sensitive Information Embedded inside Device's Firmware | ||||
| CVE-2023-22344 | 1 Dos-osaka | 2 Rakuraku Pc Cloud Agent, Ss1 | 2025-03-06 | 9.8 Critical |
| Use of hard-coded credentials vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to obtain the password of the debug tool and execute it. As a result of exploiting this vulnerability with CVE-2023-22335 and CVE-2023-22336 vulnerabilities together, it may allow a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device. | ||||
| CVE-2023-1269 | 1 Easyappointments | 1 Easyappointments | 2025-03-05 | 9.8 Critical |
| Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||||
| CVE-2023-2061 | 1 Mitsubishielectric | 8 Fx5-enet\/ip, Fx5-enet\/ip Firmware, Rj71eip91 and 5 more | 2025-03-05 | 6.2 Medium |
| Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP. | ||||
| CVE-2025-1393 | 2025-03-05 | 9.8 Critical | ||
| An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product. | ||||