CWE-259
AllowedUse of Hard-coded Password
Abstraction: Variant · Status: Draft
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
315 vulnerabilities reference this CWE, most recent first.
GHSA-5V33-QMW6-V5H3
Vulnerability from github – Published: 2026-06-04 00:30 – Updated: 2026-06-30 21:31Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.
{
"affected": [],
"aliases": [
"CVE-2026-22054"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T22:16:34Z",
"severity": "MODERATE"
},
"details": "Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.",
"id": "GHSA-5v33-qmw6-v5h3",
"modified": "2026-06-30T21:31:36Z",
"published": "2026-06-04T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22054"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20260603-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5WCF-4858-MPR6
Vulnerability from github – Published: 2022-11-25 00:30 – Updated: 2022-11-28 21:30Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 all versions allows an unauthenticated attacker to disclose sensitive information. As a result, unauthorized users may view or execute programs illegally.
{
"affected": [],
"aliases": [
"CVE-2022-29825"
],
"database_specific": {
"cwe_ids": [
"CWE-259",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-25T00:15:00Z",
"severity": "HIGH"
},
"details": "Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 all versions allows an unauthenticated attacker to disclose sensitive information. As a result, unauthorized users may view or execute programs illegally.",
"id": "GHSA-5wcf-4858-mpr6",
"modified": "2022-11-28T21:30:22Z",
"published": "2022-11-25T00:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29825"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU97244961/index.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5X7W-24Q4-V7QF
Vulnerability from github – Published: 2024-08-02 18:31 – Updated: 2024-08-03 21:30An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform unauthorized access using known operating system credentials due to hardcoded SQL user credentials in the client application.
{
"affected": [],
"aliases": [
"CVE-2024-38885"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-02T18:16:19Z",
"severity": "HIGH"
},
"details": "An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform unauthorized access using known operating system credentials due to hardcoded SQL user credentials in the client application.",
"id": "GHSA-5x7w-24q4-v7qf",
"modified": "2024-08-03T21:30:34Z",
"published": "2024-08-02T18:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38885"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.273369"
},
{
"type": "WEB",
"url": "http://caterease.com"
},
{
"type": "WEB",
"url": "http://horizon.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62CF-RJ26-WC9V
Vulnerability from github – Published: 2025-10-16 18:30 – Updated: 2025-10-16 21:31A hard-coded weak password vulnerability has been discovered in all Magic-branded devices from Chinese network equipment manufacturer H3C. The vulnerability stems from the use of a hard-coded weak password for the root account in the /etc/shadow configuration or even the absence of any password at all. Some of these devices have the Telnet service enabled by default, or users can choose to enable the Telnet service in other device management interfaces (e.g. /debug.asp or /debug_telnet.asp). In addition, these devices have related interfaces called Virtual Servers, which can map the devices to the public network, posing the risk of remote attacks. Therefore, attackers can obtain the highest root privileges of the devices through the Telnet service using the weak password hardcoded in the firmware (or without a password), and remote attacks are possible.
{
"affected": [],
"aliases": [
"CVE-2025-61330"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T18:15:37Z",
"severity": "MODERATE"
},
"details": "A hard-coded weak password vulnerability has been discovered in all Magic-branded devices from Chinese network equipment manufacturer H3C. The vulnerability stems from the use of a hard-coded weak password for the root account in the /etc/shadow configuration or even the absence of any password at all. Some of these devices have the Telnet service enabled by default, or users can choose to enable the Telnet service in other device management interfaces (e.g. /debug.asp or /debug_telnet.asp). In addition, these devices have related interfaces called Virtual Servers, which can map the devices to the public network, posing the risk of remote attacks. Therefore, attackers can obtain the highest root privileges of the devices through the Telnet service using the weak password hardcoded in the firmware (or without a password), and remote attacks are possible.",
"id": "GHSA-62cf-rj26-wc9v",
"modified": "2025-10-16T21:31:15Z",
"published": "2025-10-16T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61330"
},
{
"type": "WEB",
"url": "https://www.notion.so/25e8cd7f7805800a9a71c1193fb3cb43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-65Q8-WRMH-RRCM
Vulnerability from github – Published: 2024-08-16 18:30 – Updated: 2024-08-19 21:35H3C GR1100-P v100R009 was discovered to use a hardcoded password in /etc/shadow, which allows attackers to log in as root.
{
"affected": [],
"aliases": [
"CVE-2024-42639"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-16T18:15:10Z",
"severity": "CRITICAL"
},
"details": "H3C GR1100-P v100R009 was discovered to use a hardcoded password in /etc/shadow, which allows attackers to log in as root.",
"id": "GHSA-65q8-wrmh-rrcm",
"modified": "2024-08-19T21:35:08Z",
"published": "2024-08-16T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42639"
},
{
"type": "WEB",
"url": "https://palm-vertebra-fe9.notion.site/H3C-GR1100-PV100R009-was-discovered-to-contain-a-hardcoded-824141daa44f4c52a914860c6e4a7684"
},
{
"type": "WEB",
"url": "https://www.h3c.com/cn/d_202308/1912371_30005_0.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6674-2JWV-XG4Q
Vulnerability from github – Published: 2025-08-04 18:30 – Updated: 2025-11-03 21:34RUCKUS Network Director (RND) before 4.5 allows jailed users to obtain root access vis a weak, hardcoded password.
{
"affected": [],
"aliases": [
"CVE-2025-44955"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-04T16:15:33Z",
"severity": "HIGH"
},
"details": "RUCKUS Network Director (RND) before 4.5 allows jailed users to obtain root access vis a weak, hardcoded password.",
"id": "GHSA-6674-2jwv-xg4q",
"modified": "2025-11-03T21:34:19Z",
"published": "2025-08-04T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-44955"
},
{
"type": "WEB",
"url": "https://claroty.com/team82/disclosure-dashboard/cve-2025-44955"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/613753"
},
{
"type": "WEB",
"url": "https://webresources.commscope.com/download/assets/FAQ+Security+Advisory%3A+ID+20250710/225f44ac3bd311f095821adcaa92e24e"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/613753"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69P4-MGMF-PPHX
Vulnerability from github – Published: 2024-07-24 15:31 – Updated: 2024-09-04 00:31AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the SSH service by default and have a hidden, undocumented, hard-coded support account whose password is based on the devices MAC address. All of the devices internet interfaces share a similar MAC address that only varies in their final octet. This allows network-adjacent attackers to derive the support user's SSH password by decrementing the final octet of the connected gateway address or via the BSSID. An attacker can then execute arbitrary OS commands with root-level privileges.
{
"affected": [],
"aliases": [
"CVE-2024-39345"
],
"database_specific": {
"cwe_ids": [
"CWE-259",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-24T15:15:12Z",
"severity": "HIGH"
},
"details": "AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the SSH service by default and have a hidden, undocumented, hard-coded support account whose password is based on the devices MAC address. All of the devices internet interfaces share a similar MAC address that only varies in their final octet. This allows network-adjacent attackers to derive the support user\u0027s SSH password by decrementing the final octet of the connected gateway address or via the BSSID. An attacker can then execute arbitrary OS commands with root-level privileges.",
"id": "GHSA-69p4-mgmf-pphx",
"modified": "2024-09-04T00:31:14Z",
"published": "2024-07-24T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39345"
},
{
"type": "WEB",
"url": "https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-39345"
},
{
"type": "WEB",
"url": "https://github.com/actuator/cve/blob/main/AdTran/TBA"
},
{
"type": "WEB",
"url": "https://supportcommunity.adtran.com/t5/Security-Advisories/ADTSA-2024001-Multiple-vulnerabilities-in-Service-Delivery-Gateway-products/ta-p/39332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6F94-497C-P96P
Vulnerability from github – Published: 2026-03-11 21:31 – Updated: 2026-03-12 15:30An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.
{
"affected": [],
"aliases": [
"CVE-2025-70041"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T21:16:13Z",
"severity": "CRITICAL"
},
"details": "An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.",
"id": "GHSA-6f94-497c-p96p",
"modified": "2026-03-12T15:30:24Z",
"published": "2026-03-11T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70041"
},
{
"type": "WEB",
"url": "https://gist.github.com/zcxlighthouse/cbd6fd6ca486460573e0611ee547f763"
},
{
"type": "WEB",
"url": "https://github.com/oslabs-beta"
},
{
"type": "WEB",
"url": "https://github.com/oslabs-beta/ThermaKube"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6G7P-7W92-R3V3
Vulnerability from github – Published: 2024-08-15 18:31 – Updated: 2024-08-15 21:31Identical Hardcoded Root Password for All Devices in GNCC's GC2 Indoor Security Camera 1080P allows an attacker with physical access to retrieve the root password for all similar devices
{
"affected": [],
"aliases": [
"CVE-2024-31798"
],
"database_specific": {
"cwe_ids": [
"CWE-259",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-15T17:15:17Z",
"severity": "MODERATE"
},
"details": "Identical Hardcoded Root Password for All Devices in GNCC\u0027s GC2 Indoor Security Camera 1080P allows an attacker with physical access to retrieve the root password for all similar devices",
"id": "GHSA-6g7p-7w92-r3v3",
"modified": "2024-08-15T21:31:19Z",
"published": "2024-08-15T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31798"
},
{
"type": "WEB",
"url": "https://gncchome.com/collections/indoor-camera/products/c2-indoor-security-camera-1080p"
},
{
"type": "WEB",
"url": "https://www.nsideattacklogic.de/advisories/NSIDE-SA-2024-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HW6-G568-PG8M
Vulnerability from github – Published: 2024-09-26 15:30 – Updated: 2024-09-26 18:31VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain hardcoded credentials for several different privileged accounts, including root.
{
"affected": [],
"aliases": [
"CVE-2024-46328"
],
"database_specific": {
"cwe_ids": [
"CWE-259"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T14:15:09Z",
"severity": "HIGH"
},
"details": "VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain hardcoded credentials for several different privileged accounts, including root.",
"id": "GHSA-6hw6-g568-pg8m",
"modified": "2024-09-26T18:31:44Z",
"published": "2024-09-26T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46328"
},
{
"type": "WEB",
"url": "https://hawktesters.com/5519644d-246e-4924-b7c8-8fdf742117be/9461d352-c4f6-477f-a44e-b91ff71e6d84.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Mitigation
For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Mitigation
Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved.
- Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
For front-end to back-end connections: Three solutions are possible, although none are complete.
No CAPEC attack patterns related to this CWE.