CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.
CVE-2025-66237 (GCVE-0-2025-66237)
Vulnerability from cvelistv5 – Published: 2025-12-04 21:02 – Updated: 2025-12-05 17:02
VLAI
Title
Sunbird DCIM dcTrack and Power IQ Use of Hard-coded Credentials
Summary
DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Sunbird | DCIM dcTrack |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.3 |
|
| Sunbird | IQ |
Affected:
0 , ≤ v9.2.0
(custom)
Unaffected: 9.2.1 |
Date Public
2025-12-04 17:01
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T17:01:49.625209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:02:00.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DCIM dcTrack",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.3"
}
]
},
{
"defaultStatus": "unaffected",
"product": "IQ",
"vendor": "Sunbird",
"versions": [
{
"lessThanOrEqual": "v9.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "notnotnotveg (notnotnotveg@gmail.com) reported these vulnerabilities to CISA."
}
],
"datePublic": "2025-12-04T17:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T21:02:59.614Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSunbird recommends that users take the following actions:\u003c/p\u003e\u003cul\u003e\u003cli\u003edcTrack: Update to 9.2.3\u003c/li\u003e\u003cli\u003ePower: Update to IQ 9.2.1\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Sunbird recommends that users take the following actions:\n\n * dcTrack: Update to 9.2.3\n * Power: Update to IQ 9.2.1"
}
],
"source": {
"advisory": "ICSA-25-338-05",
"discovery": "EXTERNAL"
},
"title": "Sunbird DCIM dcTrack and Power IQ Use of Hard-coded Credentials",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf updating immediately is not possible, Sunbird additionally recommends that customers:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRestrict SSH or any non-essential port access in the IP Based Access Control.\u003c/li\u003e\u003cli\u003ePasswords for SSH based user accounts be changed at the time of deployment.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "If updating immediately is not possible, Sunbird additionally recommends that customers:\n\n * Restrict SSH or any non-essential port access in the IP Based Access Control.\n * Passwords for SSH based user accounts be changed at the time of deployment."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-66237",
"datePublished": "2025-12-04T21:02:59.614Z",
"dateReserved": "2025-11-25T17:32:15.110Z",
"dateUpdated": "2025-12-05T17:02:00.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66454 (GCVE-0-2025-66454)
Vulnerability from cvelistv5 – Published: 2025-12-02 18:23 – Updated: 2025-12-02 19:28
VLAI
Title
Arcade MCP Default Hardcoded Worker Secret Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints
Summary
Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints—including tool enumeration and tool invocation—without credentials. This vulnerability is fixed in 1.5.4.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/ArcadeAI/arcade-mcp/security/a… | x_refsource_CONFIRM |
| https://github.com/ArcadeAI/arcade-mcp/pull/691 | x_refsource_MISC |
| https://github.com/ArcadeAI/arcade-mcp/commit/446… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ArcadeAI | arcade-mcp |
Affected:
< 1.5.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66454",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T19:28:19.190064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T19:28:27.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "arcade-mcp",
"vendor": "ArcadeAI",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret (\"dev\") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints\u2014including tool enumeration and tool invocation\u2014without credentials. This vulnerability is fixed in 1.5.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T18:23:33.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ArcadeAI/arcade-mcp/security/advisories/GHSA-g2jx-37x6-6438",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ArcadeAI/arcade-mcp/security/advisories/GHSA-g2jx-37x6-6438"
},
{
"name": "https://github.com/ArcadeAI/arcade-mcp/pull/691",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ArcadeAI/arcade-mcp/pull/691"
},
{
"name": "https://github.com/ArcadeAI/arcade-mcp/commit/44660d18ceb220600401303df860a31ca766c817",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ArcadeAI/arcade-mcp/commit/44660d18ceb220600401303df860a31ca766c817"
}
],
"source": {
"advisory": "GHSA-g2jx-37x6-6438",
"discovery": "UNKNOWN"
},
"title": "Arcade MCP Default Hardcoded Worker Secret Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66454",
"datePublished": "2025-12-02T18:23:33.377Z",
"dateReserved": "2025-12-01T18:44:35.639Z",
"dateUpdated": "2025-12-02T19:28:27.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68421 (GCVE-0-2025-68421)
Vulnerability from cvelistv5 – Published: 2026-05-14 10:35 – Updated: 2026-05-14 17:55
VLAI
Title
Hardcoded credentials in Comarch ERP Optima
Summary
Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server.
This issue has been fixed in version 2026.4
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.comarch.pl/erp/comarch-optima/ | product |
| https://cert.pl/posts/2026/05/CVE-2025-68420/ | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Comarch | ERP Optima |
Affected:
0 , < 2026.4
(custom)
|
Date Public
2026-05-14 10:33
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T17:55:21.483903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T17:55:30.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Analizy BI"
],
"product": "ERP Optima",
"vendor": "Comarch",
"versions": [
{
"lessThan": "2026.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wojciech Gie\u0142da"
}
],
"datePublic": "2026-05-14T10:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server.\u003cbr\u003eThis issue has been fixed in version 2026.4\u003cbr\u003e"
}
],
"value": "Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server.\nThis issue has been fixed in version 2026.4"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T10:35:04.752Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.comarch.pl/erp/comarch-optima/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/05/CVE-2025-68420/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hardcoded credentials in Comarch ERP Optima",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Since these accounts are used for backward compatibility only, in some cases it is possible to disable them in the SQL server.\u0026nbsp;"
}
],
"value": "Since these accounts are used for backward compatibility only, in some cases it is possible to disable them in the SQL server."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-68421",
"datePublished": "2026-05-14T10:35:04.752Z",
"dateReserved": "2025-12-17T14:10:16.437Z",
"dateUpdated": "2026-05-14T17:55:30.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68926 (GCVE-0-2025-68926)
Vulnerability from cvelistv5 – Published: 2025-12-30 16:59 – Updated: 2026-01-05 14:23
VLAI
Title
RustFS has a gRPC Hardcoded Token Authentication Bypass
Summary
RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/rustfs/rustfs/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68926",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-30T17:46:43.478972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T17:47:46.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rustfs",
"vendor": "rustfs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.0-alpha.78"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `\"rustfs rpc\"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T14:23:55.080Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj"
}
],
"source": {
"advisory": "GHSA-h956-rh7x-ppgj",
"discovery": "UNKNOWN"
},
"title": "RustFS has a gRPC Hardcoded Token Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68926",
"datePublished": "2025-12-30T16:59:53.999Z",
"dateReserved": "2025-12-24T23:40:31.797Z",
"dateUpdated": "2026-01-05T14:23:55.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69425 (GCVE-0-2025-69425)
Vulnerability from cvelistv5 – Published: 2026-01-09 16:14 – Updated: 2026-05-14 02:08
VLAI
Title
Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE
Summary
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://support.ruckuswireless.com/security_bulle… | vendor-advisorypatch |
| https://www.vulncheck.com/advisories/ruckus-vriot… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RUCKUS Networks | vRIoT IoT Controller |
Affected:
2.3.0.0 (GA) , < 3.0.0.0 (GA)
(custom)
Affected: 2.3.1.0 (MR) , < 3.0.0.0 (GA) (custom) Affected: 2.4.0.0 (GA) , < 3.0.0.0 (GA) (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:48:39.859822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:37:55.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vRIoT IoT Controller",
"vendor": "RUCKUS Networks",
"versions": [
{
"lessThan": "3.0.0.0 (GA)",
"status": "affected",
"version": "2.3.0.0 (GA)",
"versionType": "custom"
},
{
"lessThan": "3.0.0.0 (GA)",
"status": "affected",
"version": "2.3.1.0 (MR)",
"versionType": "custom"
},
{
"lessThan": "3.0.0.0 (GA)",
"status": "affected",
"version": "2.4.0.0 (GA)",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivan Racic"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Ruckus vRIoT \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIoT Controller\u003c/span\u003e\u0026nbsp;firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise."
}
],
"value": "The Ruckus vRIoT IoT Controller\u00a0firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T02:08:54.076Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://support.ruckuswireless.com/security_bulletins/336"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-tokens-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Ruckus vRIoT IoT Controller \u003c 3.0.0.0 Hardcoded Tokens RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-69425",
"datePublished": "2026-01-09T16:14:32.065Z",
"dateReserved": "2026-01-08T20:48:39.252Z",
"dateUpdated": "2026-05-14T02:08:54.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69426 (GCVE-0-2025-69426)
Vulnerability from cvelistv5 – Published: 2026-01-09 16:15 – Updated: 2026-05-14 02:08
VLAI
Title
Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded SSH Credentials RCE
Summary
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://support.ruckuswireless.com/security_bulle… | vendor-advisorypatch |
| https://www.vulncheck.com/advisories/ruckus-vriot… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RUCKUS Networks | vRIoT IOT Controller |
Affected:
2.3.0.0 (GA) , < 3.0.0.0 (GA)
(custom)
Affected: 2.3.1.0 (MR) , < 3.0.0.0 (GA) (custom) Affected: 2.4.0.0 (GA) , < 3.0.0.0 (GA) (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:48:25.580373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:37:43.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vRIoT IOT Controller",
"vendor": "RUCKUS Networks",
"versions": [
{
"lessThan": "3.0.0.0 (GA)",
"status": "affected",
"version": "2.3.0.0 (GA)",
"versionType": "custom"
},
{
"lessThan": "3.0.0.0 (GA)",
"status": "affected",
"version": "2.3.1.0 (MR)",
"versionType": "custom"
},
{
"lessThan": "3.0.0.0 (GA)",
"status": "affected",
"version": "2.4.0.0 (GA)",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivan Racic"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise.\u003cbr\u003e"
}
],
"value": "The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T02:08:54.950Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://support.ruckuswireless.com/security_bulletins/336"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-ssh-credentials-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Ruckus vRIoT IoT Controller \u003c 3.0.0.0 Hardcoded SSH Credentials RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-69426",
"datePublished": "2026-01-09T16:15:01.731Z",
"dateReserved": "2026-01-08T20:48:39.252Z",
"dateUpdated": "2026-05-14T02:08:54.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6950 (GCVE-0-2025-6950)
Vulnerability from cvelistv5 – Published: 2025-10-17 03:19 – Updated: 2025-10-17 14:26
VLAI
Summary
An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.moxa.com/en/support/product-support/s… | vendor-advisory |
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| Moxa | EDR-G9010 Series |
Affected:
1.0 , ≤ 3.14
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | EDR-8010 Series |
Affected:
1.0 , ≤ 3.17
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | EDF-G1002-BP Series |
Affected:
1.0 , ≤ 3.17
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | TN-4900 Series |
Affected:
1.0 , ≤ 3.14
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | NAT-102 Series |
Affected:
1.0 , ≤ 3.17
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | NAT-108 Series |
Affected:
1.0 , ≤ 3.16
(custom)
Unaffected: 3.21 (custom) |
|
| Moxa | OnCell G4302-LTE4 Series |
Affected:
1.0 , ≤ 3.13
(custom)
Unaffected: 3.21.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-17T14:26:30.676617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T14:26:45.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EDR-G9010 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.14",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EDR-8010 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.17",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EDF-G1002-BP Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.17",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TN-4900 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.14",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "NAT-102 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.17",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "NAT-108 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.16",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OnCell G4302-LTE4 Series",
"vendor": "Moxa",
"versions": [
{
"lessThanOrEqual": "3.13",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.21.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn Use of Hard-coded Credentials vulnerability has been identified in Moxa\u2019s network security appliances and routers. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003etheft, and full administrative control over the affected \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edevice. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhile successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An Use of Hard-coded Credentials vulnerability has been identified in Moxa\u2019s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37: Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T03:19:48.223Z",
"orgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa",
"shortName": "Moxa"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-2025-6893,-cve-2025-6894,-cve-2025-6949,-cve-2025-6950-multiple-vulnerabilities-in-netwo"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Moxa has developed appropriate solutions to address the vulnerability. Please refer to\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-2025-6893,-cve-2025-6894,-cve-2025-6949,-cve-2025-6950-multiple-vulnerabilities-in-netwo\"\u003ehttps://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-202...\u003c/a\u003e"
}
],
"value": "Moxa has developed appropriate solutions to address the vulnerability. Please refer to\u00a0 https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-202... https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892,-cve-2025-6893,-cve-2025-6894,-cve-2025-6949,-cve-2025-6950-multiple-vulnerabilities-in-netwo"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa",
"assignerShortName": "Moxa",
"cveId": "CVE-2025-6950",
"datePublished": "2025-10-17T03:19:48.223Z",
"dateReserved": "2025-07-01T05:10:28.304Z",
"dateUpdated": "2025-10-17T14:26:45.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6982 (GCVE-0-2025-6982)
Vulnerability from cvelistv5 – Published: 2025-07-16 20:01 – Updated: 2026-04-22 21:24 Unsupported When Assigned
VLAI
Title
Hardcoded DES Decryption Keys in TP-Link Archer C50 V3/V4/V5 and C20 V5
Summary
Use of Hard-coded Credentials in TP-Link Archer C50 V3(
<=
180703)/V4(
<=
250117
)/V5(
<=
200407
), and C20 V5 (<US_V5_260419 or <EU_V5_260317) allows attackers to decrypt the config.xml files.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
4 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Archer C50 V3 |
Affected:
0 , ≤ 180703
(date)
|
|
| TP-Link Systems Inc. | Archer C50 V4 |
Affected:
0 , ≤ 250117
(date)
|
|
| TP-Link Systems Inc. | Archer C50 V5 |
Affected:
0 , ≤ 200407
(date)
|
|
| TP-Link Systems Inc. | Archer C20 V5 |
Affected:
0 , < US_V5_260419
(custom)
Affected: 0 , < EU_V5_260317 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:20:25.297362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:20:32.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:07:18.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/554637"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Archer C50 V3",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThanOrEqual": "180703",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer C50 V4",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThanOrEqual": "250117",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer C50 V5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThanOrEqual": "200407",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Archer C20 V5",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "US_V5_260419",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "EU_V5_260317",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Credentials in TP-Link Archer C50 V3(\n\n\u003cb\u003e\u0026lt;=\u003c/b\u003e\n\n180703)/V4(\n\n\n\n\u003cb\u003e\u0026lt;=\u003c/b\u003e\n\n250117\n\n)/V5(\n\n\n\n\u003cb\u003e\u0026lt;=\u003c/b\u003e\n\n200407\n\n), and C20 V5 (\u0026lt;US_V5_260419 or \u0026lt;EU_V5_260317)\u0026nbsp;\u003cspan\u003eallows attackers to decrypt the config.xml files.\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Use of Hard-coded Credentials in TP-Link Archer C50 V3(\n\n\u003c=\n\n180703)/V4(\n\n\n\n\u003c=\n\n250117\n\n)/V5(\n\n\n\n\u003c=\n\n200407\n\n), and C20 V5 (\u003cUS_V5_260419 or \u003cEU_V5_260317)\u00a0allows attackers to decrypt the config.xml files."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T21:24:12.188Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/4538/"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/archer-c20/v5/#Firmware"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Hardcoded DES Decryption Keys in TP-Link Archer C50 V3/V4/V5 and C20 V5",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2025-6982",
"datePublished": "2025-07-16T20:01:41.382Z",
"dateReserved": "2025-07-01T20:09:03.975Z",
"dateUpdated": "2026-04-22T21:24:12.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7072 (GCVE-0-2025-7072)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:30 – Updated: 2026-01-09 16:24
VLAI
Title
Hardcoded credentials in KAON CG3000T/CG3000CT routers
Summary
The firmware in KAON CG3000TC and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges.
This vulnerability has been fixed in firmware version: 1.00.67 for CG3000TC and 1.00.27 for CG3000T.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/01/CVE-2025-7072/ | third-party-advisory |
Impacted products
Date Public
2026-01-09 12:12
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7072",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T16:24:26.821104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T16:24:39.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CG3000T",
"vendor": "KAON",
"versions": [
{
"lessThan": "1.00.27",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CG3000TC",
"vendor": "KAON",
"versions": [
{
"lessThan": "1.00.67",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Piotr \u0141ugowski"
}
],
"datePublic": "2026-01-09T12:12:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The firmware in KAON CG3000TC\u0026nbsp;and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges.\u003cbr\u003eThis vulnerability has been fixed in firmware version: 1.00.67 for CG3000TC and\u0026nbsp;1.00.27 for\u0026nbsp;CG3000T."
}
],
"value": "The firmware in KAON CG3000TC\u00a0and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges.\nThis vulnerability has been fixed in firmware version: 1.00.67 for CG3000TC and\u00a01.00.27 for\u00a0CG3000T."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:30:24.672Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/01/CVE-2025-7072/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hardcoded credentials in KAON CG3000T/CG3000CT routers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-7072",
"datePublished": "2026-01-09T11:30:24.672Z",
"dateReserved": "2025-07-04T14:57:43.494Z",
"dateUpdated": "2026-01-09T16:24:39.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7342 (GCVE-0-2025-7342)
Vulnerability from cvelistv5 – Published: 2025-08-17 23:03 – Updated: 2025-11-04 21:14
VLAI
Title
VM images built with Kubernetes Image Builder Nutanix or OVA providers use default credentials for Windows images if user did not override
Summary
A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and the vulnerability was exploited during the build process, which requires an attacker to access the build VM and modify the image while the build is in progress.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kubernetes | Image Builder |
Affected:
0 , ≤ 0.1.44
(semver)
Unaffected: 0.1.45 |
Date Public
2025-07-21 02:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T17:29:34.332110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:31:13.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:14:52.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/22/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Image Builder",
"vendor": "Kubernetes",
"versions": [
{
"lessThanOrEqual": "0.1.44",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.1.45"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdel Adim Oisfi, Davide Silvetti, Nicol\u00f2 Daprel\u00e0, Paolo Cavagli\u00e0, Pietro Tirenna from Shielder."
}
],
"datePublic": "2025-07-21T02:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and the vulnerability was exploited during the build process, which requires an attacker to access the build VM and modify the image while the build is in progress.\u003c/div\u003e"
}
],
"value": "A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and the vulnerability was exploited during the build process, which requires an attacker to access the build VM and modify the image while the build is in progress."
}
],
"impacts": [
{
"capecId": "CAPEC-395",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-395 Bypassing Electronic Locks and Access Controls"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "VM Images built via Nutanix or OVA providers"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T00:47:11.031Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/tuEsLUQu_PA"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kubernetes/kubernetes/issues/133115"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eRebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "VM images built with Kubernetes Image Builder Nutanix or OVA providers use default credentials for Windows images if user did not override",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2025-7342",
"datePublished": "2025-08-17T23:03:56.571Z",
"dateReserved": "2025-07-07T22:31:53.942Z",
"dateUpdated": "2025-11-04T21:14:52.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
Phase: Architecture and Design
Description:
- For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
Phase: Architecture and Design
Description:
- If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
Phase: Architecture and Design
Description:
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Phase: Architecture and Design
Description:
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.