Common Weakness Enumeration

CWE-1392

Allowed

Use of Default Credentials

Abstraction: Base · Status: Incomplete

The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.

191 vulnerabilities reference this CWE, most recent first.

GHSA-CF63-G2WM-56WP

Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-01 15:32
VLAI
Details

Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login to product instances wrongly configured.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T13:15:06Z",
    "severity": "HIGH"
  },
  "details": "Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login to product instances wrongly configured.",
  "id": "GHSA-cf63-g2wm-56wp",
  "modified": "2024-07-01T15:32:33Z",
  "published": "2024-07-01T15:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4007"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CGX8-HG5R-9PWR

Vulnerability from github – Published: 2026-01-28 09:30 – Updated: 2026-01-28 09:30
VLAI
Details

Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T09:15:48Z",
    "severity": "HIGH"
  },
  "details": "Default credentials vulnerability exists in SuprOS\nproduct. If exploited, this could allow an authenticated\nlocal attacker to use an admin account created during\nproduct deployment.",
  "id": "GHSA-cgx8-hg5r-9pwr",
  "modified": "2026-01-28T09:30:31Z",
  "published": "2026-01-28T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7740"
    },
    {
      "type": "WEB",
      "url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000223\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CJ3G-43PH-GVG8

Vulnerability from github – Published: 2026-02-06 03:30 – Updated: 2026-02-06 03:30
VLAI
Details

A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-06T02:16:04Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they \"will issue a consolidated Security Advisory on our official support website.\" This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-cj3g-43ph-gvg8",
  "modified": "2026-02-06T03:30:19Z",
  "published": "2026-02-06T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1972"
    },
    {
      "type": "WEB",
      "url": "https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Weak-Password-Authentication-Vulnerability-in-auth_check_userpass2-Functi-2f0b5c52018a801c9645dd5261717901?source=copy_link"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344494"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344494"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.744032"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CM2R-RG7R-P7GG

Vulnerability from github – Published: 2025-06-30 17:50 – Updated: 2025-08-04 17:39
VLAI
Summary
File Browser vulnerable to insecure password handling
Details

Summary

All user accounts authenticate towards a File Browser instance with a password. A missing password policy and brute-force protection makes it impossible for administrators to properly secure the authentication process.

Impact

Attackers can mount a brute-force attack against the passwords of all accounts of an instance. Since the application is lacking the ability to prevent users from choosing a weak password, the attack is likely to succeed.

Vulnerability Description

The application implement a classical authentication scheme using a username and password combination. While employed by many systems, this scheme is quite error-prone and a common cause for vulnerabilities. File Browser's implementation has multiple weak points:

  1. Since the application is missing the capability for administrators to define a password policy, users are at liberty to set trivial and well-known passwords such as secret or even ones with only single digit like 1.
  2. New instances are set up with a default password of admin for the initial administrative account. This password is well known and easily guessable. While the documentation advises to change this password, the application does not technically enforce it.
  3. The application does not implement any brute-force protection for the authentication endpoint. Attackers can make as many guesses for a password as the network bandwidth allows.

The combination of these problems makes it likely, that an attacker will succeed in compromising at least one account in a File Browser instance, possibly even one with administrative privileges. The likelihood of such an attack increases substantially for internet-facing instances.

Proof of Concept

The insecure default credentials are documented on the application's website:

image

The following HTTP communication shows, that a trivial password of 1 can be configured by a user:

```http hl:17 PUT /api/users/2 HTTP/1.1 Host: filebrowser.local:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://filebrowser.local:8080/settings/profile X-Auth: eyJ[...] Content-Type: text/plain;charset=UTF-8 Content-Length: 319 Origin: http://filebrowser.local:8080 Connection: keep-alive Cookie: auth=eyJ[...] X-PwnFox-Color: cyan Priority: u=0

{"what":"user","which":["password"],"data":{"id":2,"locale":"en","viewMode":"mosaic","singleClick":false,"perm":{"admin":false,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":[],"lockPassword":false,"hideDotfiles":false,"dateFormat":false,"password":"1"}}

HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'; Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 27 Mar 2025 08:31:34 GMT Content-Length: 7

200 OK


The missing brute-force protection can easily be tested by repeatedly sending the following request to the application with a tool such as Burp or hydra.

POST /api/login HTTP/1.1 Host: filebrowser.local:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json Content-Length: 52 Origin: http://filebrowser.local:8080

{"username":"admin","password":"myPasswordGuess","recaptcha":""}

HTTP/1.1 403 Forbidden Cache-Control: no-cache, no-store, must-revalidate Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline'; Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 27 Mar 2025 08:39:48 GMT Content-Length: 14

403 Forbidden


After sending 3000 bad passwords to the application within a few seconds, a successful authentication is still possible for the account:

```http
POST /api/login HTTP/1.1
Host: filebrowser.local:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 54
Origin: http://filebrowser.local:8080
Connection: keep-alive

{"username":"admin","password":"myCorrectPassword","recaptcha":""}

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline';
Content-Type: text/plain
Date: Thu, 27 Mar 2025 08:39:58 GMT
Content-Length: 508

eyJ[...]

Recommended Countermeasures

The application should add an option to define a password policy in its administrative interface which allows to set a minimum length for passwords. The default settings should be in line with the NIST publication SP 800-63B. This means, that now passwords of fewer than 8 characters should ever be allowed by the application. Whenever a user sets a new password, the application should verify whether that password is part of a "known passwords" list.

The application should either create a secure and random password for the admin account upon initialization or enforce an immediate password change when that user logs in for the first time using the default password.

A brute-force protection needs to be implemented, which limits the allowed amount of authentication attempts per user within a certain timeframe. This implementation should employ device tokens to prevent targeted lockout attacks.

In addition, it would be advisable to allow the integration of the application into and existing Identity Provider using protocols like LDAP or OIDC.

Timeline

  • 2025-03-27 Identified the vulnerability in version 2.32.0
  • 2025-04-11 Contacted the project
  • 2025-04-29 Vulnerability disclosed to the project
  • 2025-06-25 Uploaded advisories to the project's GitHub repository
  • 2025-06-26 CVE ID assigned by GitHub
  • 2025-06-29 Fix released in version 2.34.1. 12 minimum characters as default has been chosen since the implementation does not include protection against brute force attacks.

References

Credits

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.34.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.34.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392",
      "CWE-307",
      "CWE-521"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-30T17:50:01Z",
    "nvd_published_at": "2025-06-30T20:15:25Z",
    "severity": "MODERATE"
  },
  "details": "## Summary ##\n\nAll user accounts authenticate towards a *File Browser* instance with a password. A missing password policy and brute-force protection makes it impossible for administrators to properly secure the authentication process.\n\n## Impact ##\n\nAttackers can mount a brute-force attack against the passwords of all accounts of an instance. Since the application is lacking the ability to prevent users from choosing a weak password, the attack is likely to succeed.\n\n## Vulnerability Description ##\n\nThe application implement a classical authentication scheme using a username and password combination. While employed by many systems, this scheme is quite error-prone and a common cause for vulnerabilities. File Browser\u0027s implementation has multiple weak points:\n\n1. Since the application is missing the capability for administrators to define a password policy, users are at liberty to set trivial and well-known passwords such as `secret` or even ones with only single digit like `1`.\n2. New instances are set up with a default password of `admin` for the initial administrative account. This password is well known and easily guessable. While the documentation advises to change this password, the application does not technically enforce it.\n3. The application does not implement any brute-force protection for the authentication endpoint. Attackers can make as many guesses for a password as the network bandwidth allows.\n\nThe combination of these problems makes it likely, that an attacker will succeed in compromising at least one account in a *File Browser* instance, possibly even one with administrative privileges. The likelihood of such an attack increases substantially for internet-facing instances.\n\n## Proof of Concept ##\n\nThe insecure default credentials are documented on the application\u0027s website:\n\n![image](https://github.com/user-attachments/assets/46c07d99-dc7b-4d6e-ac27-7eb002229201)\n\nThe following HTTP communication shows, that a trivial password of `1` can be configured by a user:\n\n```http hl:17\nPUT /api/users/2 HTTP/1.1\nHost: filebrowser.local:8080\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: http://filebrowser.local:8080/settings/profile\nX-Auth: eyJ[...]\nContent-Type: text/plain;charset=UTF-8\nContent-Length: 319\nOrigin: http://filebrowser.local:8080\nConnection: keep-alive\nCookie: auth=eyJ[...]\nX-PwnFox-Color: cyan\nPriority: u=0\n\n{\"what\":\"user\",\"which\":[\"password\"],\"data\":{\"id\":2,\"locale\":\"en\",\"viewMode\":\"mosaic\",\"singleClick\":false,\"perm\":{\"admin\":false,\"execute\":true,\"create\":true,\"rename\":true,\"modify\":true,\"delete\":true,\"share\":true,\"download\":true},\"commands\":[],\"lockPassword\":false,\"hideDotfiles\":false,\"dateFormat\":false,\"password\":\"1\"}}\n\nHTTP/1.1 200 OK\nCache-Control: no-cache, no-store, must-revalidate\nContent-Security-Policy: default-src \u0027self\u0027; style-src \u0027unsafe-inline\u0027;\nContent-Type: text/plain; charset=utf-8\nX-Content-Type-Options: nosniff\nDate: Thu, 27 Mar 2025 08:31:34 GMT\nContent-Length: 7\n\n200 OK\n```\n\nThe missing brute-force protection can easily be tested by repeatedly sending the following request to the application with a tool such as Burp or hydra.\n\n```\nPOST /api/login HTTP/1.1\nHost: filebrowser.local:8080\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/json\nContent-Length: 52\nOrigin: http://filebrowser.local:8080\n\n{\"username\":\"admin\",\"password\":\"myPasswordGuess\",\"recaptcha\":\"\"}\n\nHTTP/1.1 403 Forbidden\nCache-Control: no-cache, no-store, must-revalidate\nContent-Security-Policy: default-src \u0027self\u0027; style-src \u0027unsafe-inline\u0027;\nContent-Type: text/plain; charset=utf-8\nX-Content-Type-Options: nosniff\nDate: Thu, 27 Mar 2025 08:39:48 GMT\nContent-Length: 14\n\n403 Forbidden\n```\n\nAfter sending 3000 bad passwords to the application within a few seconds, a successful authentication is still possible for the account:\n\n```http\nPOST /api/login HTTP/1.1\nHost: filebrowser.local:8080\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/json\nContent-Length: 54\nOrigin: http://filebrowser.local:8080\nConnection: keep-alive\n\n{\"username\":\"admin\",\"password\":\"myCorrectPassword\",\"recaptcha\":\"\"}\n\nHTTP/1.1 200 OK\nCache-Control: no-cache, no-store, must-revalidate\nContent-Security-Policy: default-src \u0027self\u0027; style-src \u0027unsafe-inline\u0027;\nContent-Type: text/plain\nDate: Thu, 27 Mar 2025 08:39:58 GMT\nContent-Length: 508\n\neyJ[...]\n```\n\n## Recommended Countermeasures ##\n\nThe application should add an option to define a password policy in its administrative interface which allows to set a minimum length for passwords.\nThe default settings should be in line with the NIST publication SP 800-63B. This means, that now passwords of fewer than 8 characters should ever be allowed by the application.\nWhenever a user sets a new password, the application should verify whether that password is part of a \"known passwords\" list.\n\nThe application should either create a secure and random password for the `admin` account upon initialization or enforce an immediate password change when that user logs in for the first time using the default password.\n\nA brute-force protection needs to be implemented, which limits the allowed amount of authentication attempts per user within a certain timeframe. This implementation should employ *device tokens* to prevent targeted lockout attacks.\n\nIn addition, it would be advisable to allow the integration of the application into and existing *Identity Provider* using protocols like LDAP or OIDC.\n\n## Timeline ##\n\n* `2025-03-27` Identified the vulnerability in version 2.32.0\n* `2025-04-11` Contacted the project\n* `2025-04-29` Vulnerability disclosed to the project\n* `2025-06-25` Uploaded advisories to the project\u0027s GitHub repository\n* `2025-06-26` CVE ID assigned by GitHub\n* `2025-06-29` Fix released in version 2.34.1. 12 minimum characters as default has been chosen since the implementation does not include protection against brute force attacks. \n\n## References ##\n\n* [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls)\n* [NIST Special Publication 800-63B. Digital Identity Guidelines. Passwords](https://pages.nist.gov/800-63-4/sp800-63b.html#password)\n* [Pwned Passwords](https://haveibeenpwned.com/Passwords)\n* [Common Credentials](https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials)\n* [CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html)\n* [CWE-521: Weak Password Requirements](https://cwe.mitre.org/data/definitions/521.html)\n* [CWE-1392: Use of Default Credentials](https://cwe.mitre.org/data/definitions/1392.html)\n* [Original Advisory](https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling)\n\n## Credits ##\n\n* Mathias Tausig ([SBA Research](https://www.sba-research.org/))",
  "id": "GHSA-cm2r-rg7r-p7gg",
  "modified": "2025-08-04T17:39:31Z",
  "published": "2025-06-30T17:50:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-cm2r-rg7r-p7gg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52997"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/bf37f88c32222ad9c186482bb97338a9c9b4a93c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3792"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser vulnerable to insecure password handling"
}

GHSA-F7JP-GRR4-2429

Vulnerability from github – Published: 2024-12-10 18:31 – Updated: 2024-12-10 18:31
VLAI
Details

MOBATIME Network Master Clock - DTS 4801 allows attackers to use SSH to gain initial access using default credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-10T18:15:27Z",
    "severity": "CRITICAL"
  },
  "details": "MOBATIME Network Master Clock - DTS 4801 allows attackers to use SSH to gain initial access using default credentials.",
  "id": "GHSA-f7jp-grr4-2429",
  "modified": "2024-12-10T18:31:07Z",
  "published": "2024-12-10T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12286"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FG9V-4HW2-F9W8

Vulnerability from github – Published: 2026-07-01 18:31 – Updated: 2026-07-01 18:31
VLAI
Details

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T17:16:40Z",
    "severity": "CRITICAL"
  },
  "details": "JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.",
  "id": "GHSA-fg9v-4hw2-f9w8",
  "modified": "2026-07-01T18:31:56Z",
  "published": "2026-07-01T18:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58453"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rwprimitives/jaiotlink-c492a-wifi-camera/blob/main/writeups/02-default-http-credentials.md"
    },
    {
      "type": "WEB",
      "url": "https://www.amazon.com/stores/JAIOTlink/page/3B00DC41-70C3-4BAA-925C-3D222C2633D5?lp_asin=B0GX1BNZ78\u0026ref_=ast_bln\u0026store_ref=bl_ast_dp_brandlogo_sto"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/jaiotlink-c492a-w6-hard-coded-credentials-via-anyka-ipc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FMCG-2R5C-WMHP

Vulnerability from github – Published: 2026-05-12 12:32 – Updated: 2026-05-12 12:32
VLAI
Details

Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database.

Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T10:16:48Z",
    "severity": "CRITICAL"
  },
  "details": "Prior to 2025-11-03,\u00a0well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters\u00a0with an insecure default password which could have been exploited by a\u00a0remote\u00a0attacker\u00a0to\u00a0gain full administrative access to the database.\n\n\n\n\nExploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.",
  "id": "GHSA-fmcg-2r5c-wmhp",
  "modified": "2026-05-12T12:32:15Z",
  "published": "2026-05-12T12:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7428"
    },
    {
      "type": "WEB",
      "url": "https://docs.cloud.google.com/alloydb/docs/release-notes#April_28_2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FMQC-2W48-QP8R

Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-05-19 15:31
VLAI
Details

Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T15:16:31Z",
    "severity": "CRITICAL"
  },
  "details": "Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021.",
  "id": "GHSA-fmqc-2w48-qp8r",
  "modified": "2026-05-19T15:31:36Z",
  "published": "2026-05-19T15:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44159"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-138-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-44159"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FQQ5-P7C3-5JQW

Vulnerability from github – Published: 2025-07-01 12:31 – Updated: 2025-07-01 12:31
VLAI
Details

A vulnerability classified as problematic was found in SAFECAM X300 up to 20250611. This vulnerability affects unknown code of the component FTP Service. The manipulation leads to use of default credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-01T12:15:24Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in SAFECAM X300 up to 20250611. This vulnerability affects unknown code of the component FTP Service. The manipulation leads to use of default credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fqq5-p7c3-5jqw",
  "modified": "2025-07-01T12:31:02Z",
  "published": "2025-07-01T12:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6951"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geo-chen/SAFECAM"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.314488"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.314488"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.595454"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FR9F-2M5P-2JV4

Vulnerability from github – Published: 2024-08-28 06:30 – Updated: 2024-08-28 06:30
VLAI
Details

Dell Client Platform BIOS contains a Use of Default Cryptographic Key Vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Secure Boot bypass and arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39584"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-28T06:15:05Z",
    "severity": "HIGH"
  },
  "details": "Dell Client Platform BIOS contains a Use of Default Cryptographic Key Vulnerability.  A high privileged attacker with local access could potentially exploit this vulnerability, leading to Secure Boot bypass and arbitrary code execution.",
  "id": "GHSA-fr9f-2m5p-2jv4",
  "modified": "2024-08-28T06:30:31Z",
  "published": "2024-08-28T06:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39584"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000227594/dsa-2024-354"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Mitigation
Architecture and Design

Force the administrator to change the credential upon installation.

Mitigation
Installation Operation

The product administrator could change the defaults upon installation or during operation.

No CAPEC attack patterns related to this CWE.