Total
34 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-35970 | 2025-08-07 | 7.5 High | ||
| On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator password is easy to guess from the information available via SNMP. If the administrator password is not changed from the initial one, a remote attacker with SNMP access can log in to the product with the administrator privilege. | ||||
| CVE-2025-52364 | 1 Tenda | 2 Cp3 Pro, Cp3 Pro Firmware | 2025-08-07 | 7.5 High |
| Insecure Permissions vulnerability in Tenda CP3 Pro Firmware V22.5.4.93 allows the telnet service (telnetd) by default at boot via the initialization script /etc/init.d/eth.sh. This allows remote attackers to connect to the device s shell over the network, potentially without authentication if default or weak credentials are present | ||||
| CVE-2025-6077 | 1 Partner Software | 2 Partner Software, Partner Web | 2025-08-05 | 9.8 Critical |
| Partner Software's Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions. | ||||
| CVE-2025-53558 | 1 Zte | 2 Zxhn F660a, Zxhn F660t | 2025-07-31 | N/A |
| ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices. | ||||
| CVE-2025-4057 | 1 Redhat | 2 Amq Broker, Rhosemc | 2025-07-31 | 5.5 Medium |
| A flaw was found in ActiveMQ Artemis. The password generated by activemq-artemis-operator does not regenerate between separated CR dependencies. | ||||
| CVE-2024-51978 | 2025-07-25 | 9.8 Critical | ||
| An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request. | ||||
| CVE-2025-6523 | 1 Devolutions | 1 Devolutions Server | 2025-07-25 | 7.7 High |
| Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe. This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.3.0 * Devolutions Server 2025.1.11.0 and earlier | ||||
| CVE-2024-11717 | 1 Ctfd | 1 Ctfd | 2025-07-13 | N/A |
| Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email. This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679 included in 3.7.5 release. | ||||
| CVE-2024-28066 | 1 Mitel | 28 6905, 6905 Firmware, 6910 and 25 more | 2025-06-18 | 8.8 High |
| In Unify CP IP Phone firmware 1.10.4.3, Weak Credentials are used (a hardcoded root password). | ||||
| CVE-2023-48257 | 1 Bosch | 21 Nexo-os, Nexo Cordless Nutrunner Nxa011s-36v-b \(0608842012\), Nexo Cordless Nutrunner Nxa011s-36v \(0608842011\) and 18 more | 2025-06-17 | 7.8 High |
| The vulnerability allows a remote attacker to access sensitive data inside exported packages or obtain up to Remote Code Execution (RCE) with root privileges on the device. The vulnerability can be exploited directly by authenticated users, via crafted HTTP requests, or indirectly by unauthenticated users, by accessing already-exported backup packages, or crafting an import package and inducing an authenticated victim into sending the HTTP upload request. | ||||
| CVE-2022-3010 | 1 Priva | 1 Top Control Suite | 2025-06-04 | 7.5 High |
| The Priva TopControl Suite contains predictable credentials for the SSH service, based on the Serial number. Which makes it possible for an attacker to calculate the login credentials for the Priva TopControll suite. | ||||
| CVE-2025-32471 | 2025-04-29 | 3.7 Low | ||
| The device’s passwords have not been adequately salted, making them vulnerable to password extraction attacks. | ||||
| CVE-2024-29071 | 1 Kddi | 1 Hgw Bli500hm Firmware | 2025-03-28 | 8.8 High |
| HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings. | ||||
| CVE-2024-21865 | 2025-03-28 | 6.5 Medium | ||
| HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may connect to the product via SSH and use a shell. | ||||
| CVE-2025-2229 | 2025-03-17 | 7.7 High | ||
| A token is created using the username, current date/time, and a fixed AES-128 encryption key, which is the same across all installations. | ||||
| CVE-2024-43659 | 2025-03-11 | 7.2 High | ||
| After gaining access to the firmware of a charging station, a file at <redacted> can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers. This issue affects Iocharger firmware for AC models before firmware version 25010801. The issue is addressed by requiring a mandatory password change on first login, it is still recommended to change the password on older models. Likelihood: Moderate – The attacker will first have to abuse a code execution or file inclusion vulnerability (for example by using <redacted>.sh) to gain access to the <redacted>.json file, or obtain a firmware dump of the charging station or obtain the firmware via other channels. Impact: Critical – All chargers using Iocharger firmware for AC models started with the same initial password. For models with firmware version before 25010801 a password change was not mandatory. It is therefore very likely that this firmware password is still active on many chargers. These credentials could, once obtained, allow an attacker to log into many Iocharger charging station, and allow them to execute arbitrary commands via the System → Custom page. CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, and requires high privileges (PR:H), there is no user interaction required (UI:N). The attack leads to a compromised of the confidentialy of the "super user" credentials of the device (VC:H/VI:N/VA:N), and can subsequently be used to full compromise and other devices (SC:H/SI:H/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y). | ||||
| CVE-2024-33849 | 2025-02-13 | 6.5 Medium | ||
| ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key. | ||||
| CVE-2024-52331 | 2025-02-12 | 7.5 High | ||
| ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot. | ||||
| CVE-2025-1081 | 2025-02-12 | 3.1 Low | ||
| A vulnerability was found in Bharti Airtel Xstream Fiber up to 20250123. It has been rated as problematic. This issue affects some unknown processing of the component WiFi Password Handler. The manipulation leads to use of weak credentials. The attack needs to be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-22936 | 2025-02-12 | 5.7 Medium | ||
| An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password generation algorithm in WiFi routers. | ||||