Total
1518 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2538 | 1 Esri | 1 Portal For Arcgis | 2025-10-01 | 9.8 Critical |
| A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system. | ||||
| CVE-2025-2394 | 2025-09-30 | N/A | ||
| Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure. | ||||
| CVE-2024-41610 | 1 Dlink | 2 Dir-820lw, Dir-820lw Firmware | 2025-09-29 | 9.8 Critical |
| D-Link DIR-820LW REVB FIRMWARE PATCH 2.03.B01_TC contains hardcoded credentials in the Telnet service, enabling attackers to log in remotely to the Telnet service and perform arbitrary commands. | ||||
| CVE-2025-11126 | 1 Apeman | 1 Apeman | 2025-09-29 | 9.8 Critical |
| A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file /system/www/system.ini. The manipulation results in hard-coded credentials. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-41611 | 1 Dlink | 2 Dir-860l, Dir-860l Firmware | 2025-09-29 | 9.8 Critical |
| In D-Link DIR-860L REVA FIRMWARE PATCH 1.10..B04, the Telnet service contains hardcoded credentials, enabling attackers to log in remotely to the Telnet service and perform arbitrary commands. | ||||
| CVE-2025-52159 | 2 Ppress, Yandaozi | 2 Cms, Ppress | 2025-09-25 | 8.8 High |
| Hardcoded credentials in default configuration of PPress 0.0.9. | ||||
| CVE-2025-57602 | 1 Aikaan | 1 Iot Management Platform | 2025-09-23 | 9.8 Critical |
| Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT devices. This can lead to remote code execution, information disclosure, and privilege escalation across customer environments. | ||||
| CVE-2025-57601 | 1 Aikaan | 1 Cloud Controller | 2025-09-23 | 9.8 Critical |
| AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends this same static private key to the target device. The device then uses it to establish a reverse SSH tunnel to a remote access server, enabling browser-based SSH access for the administrator. Because the same `proxyuser` account and SSH key are reused across all customer environments: - An attacker who obtains the key (e.g., by intercepting it in transit, extracting it from the remote access server, or from a compromised admin account) can impersonate any managed device. - They can establish unauthorized reverse SSH tunnels and interact with devices without the owner's consent. This is a design flaw in the authentication model: compromise of a single key compromises the trust boundary between the controller and devices. | ||||
| CVE-2025-51536 | 1 Craws | 1 Openatlas | 2025-09-23 | 9.8 Critical |
| Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password. | ||||
| CVE-2024-11147 | 1 Ecovacs | 28 Airbot Andy, Airbot Andy Firmware, Airbot Ava and 25 more | 2025-09-23 | 7.6 High |
| ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root. | ||||
| CVE-2025-30200 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2025-09-23 | 6.3 Medium |
| ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived. | ||||
| CVE-2025-30198 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2025-09-23 | 6.3 Medium |
| ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived. | ||||
| CVE-2025-58659 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 5.3 Medium |
| Use of Hard-coded Credentials vulnerability in Essekia Helpie FAQ allows Retrieve Embedded Sensitive Data. This issue affects Helpie FAQ: from n/a through 1.39. | ||||
| CVE-2025-58656 | 3 Risto Niinemets, Woocommerce, Wordpress | 3 Estonian Shipping Methods, Woocommerce, Wordpress | 2025-09-23 | 5.3 Medium |
| Use of Hard-coded Credentials vulnerability in Risto Niinemets Estonian Shipping Methods for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects Estonian Shipping Methods for WooCommerce: from n/a through 1.7.2. | ||||
| CVE-2025-58269 | 2 Wedevs, Wordpress | 2 Wp Project Manager, Wordpress | 2025-09-23 | 5.3 Medium |
| Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager allows Retrieve Embedded Sensitive Data. This issue affects WP Project Manager: from n/a through 2.6.25. | ||||
| CVE-2024-41794 | 1 Siemens | 2 7kt Pac1260 Data Manager, 7kt Pac1260 Data Manager Firmware | 2025-09-23 | 10 Critical |
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This could allow unauthenticated remote attackers to gain full access to a device, if they are in possession of these credentials and if the ssh service is enabled (e.g., by exploitation of CVE-2024-41793). | ||||
| CVE-2025-57434 | 1 Creacast | 1 Creabox Manager | 2025-09-23 | 8.8 High |
| Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | ||||
| CVE-2024-9643 | 1 Four-faith | 2 F3x36, F3x36 Firmware | 2025-09-19 | 9.8 Critical |
| The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645. | ||||
| CVE-2025-5023 | 2025-09-19 | 7.1 High | ||
| Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020. | ||||
| CVE-2024-48842 | 1 Abb | 1 Flxeon | 2025-09-18 | 7 High |
| Use of Hard-coded Credentials vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5 and newer versions | ||||