Total
1153 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-6409 | 2024-02-14 | N/A | 7.7 HIGH | ||
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert. | |||||
CVE-2008-1160 | 1 Zyxel | 2 Zywall 1050, Zywall 1050 Firmware | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges. | |||||
CVE-2020-35296 | 1 Thinkadmin | 1 Thinkadmin | 2024-02-14 | 5.0 MEDIUM | 7.5 HIGH |
ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access. | |||||
CVE-2005-3803 | 1 Cisco | 2 Unified Wireless Ip Phone 7920, Unified Wireless Ip Phone 7920 Firmware | 2024-02-13 | 5.0 MEDIUM | 7.5 HIGH |
Cisco IP Phone (VoIP) 7920 1.0(8) contains certain hard-coded ("fixed") public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information. | |||||
CVE-2005-3716 | 1 Utstarcom | 2 F1000 Wi-fi, F1000 Wi-fi Firmware | 2024-02-13 | 5.0 MEDIUM | 7.5 HIGH |
The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 has hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information. | |||||
CVE-2005-0496 | 1 Arkeia | 1 Network Backup | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands. | |||||
CVE-2021-37555 | 1 Trixie | 2 Tx9 Automatic Food Dispenser, Tx9 Automatic Food Dispenser Firmware | 2024-02-13 | 10.0 HIGH | 9.8 CRITICAL |
TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the default password of 059AnkJ for the root account. The user can then download the filesystem through preinstalled BusyBox utilities (e.g., tar and nc). | |||||
CVE-2008-2369 | 1 Redhat | 1 Satellite | 2024-02-13 | 6.4 MEDIUM | 9.1 CRITICAL |
manzier.pxt in Red Hat Network Satellite Server before 5.1.1 has a hard-coded authentication key, which allows remote attackers to connect to the server and obtain sensitive information about user accounts and entitlements. | |||||
CVE-2008-0961 | 1 Emc | 1 Diskxtender | 2024-02-13 | 10.0 HIGH | 9.8 CRITICAL |
EMV DiskXtender 6.20.060 has a hard-coded login and password, which allows remote attackers to bypass authentication via the RPC interface. | |||||
CVE-2006-7142 | 1 Utimaco | 1 Safeguard | 2024-02-13 | 4.1 MEDIUM | 7.8 HIGH |
The centralized management feature for Utimaco Safeguard stores hard-coded cryptographic keys in executable programs for encrypted configuration files, which allows attackers to recover the keys from the configuration files and decrypt the disk drive. | |||||
CVE-2012-3503 | 2 Redhat, Theforeman | 2 Enterprise Linux Server, Katello | 2024-02-13 | 6.5 MEDIUM | 9.8 CRITICAL |
The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token. | |||||
CVE-2010-2772 | 1 Siemens | 2 Simatic Pcs 7, Simatic Wincc | 2024-02-13 | 6.9 MEDIUM | 7.8 HIGH |
Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded password, which allows local users to access a back-end database and gain privileges, as demonstrated in the wild in July 2010 by the Stuxnet worm, a different vulnerability than CVE-2010-2568. | |||||
CVE-2010-2073 | 1 Debian | 1 Pyftpd | 2024-02-13 | 5.0 MEDIUM | 7.5 HIGH |
auth_db_config.py in Pyftpd 0.8.4 contains hard-coded usernames and passwords for the (1) test, (2) user, and (3) roxon accounts, which allows remote attackers to read arbitrary files from the FTP server. | |||||
CVE-2010-1573 | 1 Linksys | 2 Wap54g, Wap54g Firmware | 2024-02-13 | 10.0 HIGH | 9.8 CRITICAL |
Linksys WAP54Gv3 firmware 3.04.03 and earlier uses a hard-coded username (Gemtek) and password (gemtekswd) for a debug interface for certain web pages, which allows remote attackers to execute arbitrary commands via the (1) data1, (2) data2, or (3) data3 parameters to (a) Debug_command_page.asp and (b) debug.cgi. | |||||
CVE-2022-30271 | 1 Motorola | 2 Ace1000, Ace1000 Firmware | 2024-02-13 | N/A | 9.8 CRITICAL |
The Motorola ACE1000 RTU through 2022-05-02 ships with a hardcoded SSH private key and initialization scripts (such as /etc/init.d/sshd_service) only generate a new key if no private-key file exists. Thus, this hardcoded key is likely to be used by default. | |||||
CVE-2022-30314 | 1 Honeywell | 2 Safety Manager, Safety Manager Firmware | 2024-02-13 | N/A | 4.6 MEDIUM |
Honeywell Experion PKS Safety Manager 5.02 uses Hard-coded Credentials. According to FSCT-2022-0052, there is a Honeywell Experion PKS Safety Manager hardcoded credentials issue. The affected components are characterized as: POLO bootloader. The potential impact is: Manipulate firmware. The Honeywell Experion PKS Safety Manager utilizes the DCOM-232/485 serial interface for firmware management purposes. When booting, the Safety Manager exposes the Enea POLO bootloader via this interface. Access to the boot configuration is controlled by means of credentials hardcoded in the Safety Manager firmware. The credentials for the bootloader are hardcoded in the firmware. An attacker with access to the serial interface (either through physical access, a compromised EWS or an exposed serial-to-ethernet gateway) can utilize these credentials to control the boot process and manipulate the unauthenticated firmware image (see FSCT-2022-0054). | |||||
CVE-2022-29964 | 1 Emerson | 48 Deltav Distributed Control System Sq Controller, Deltav Distributed Control System Sq Controller Firmware, Deltav Distributed Control System Sx Controller and 45 more | 2024-02-13 | N/A | 5.5 MEDIUM |
The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. WIOC SSH provides access to a shell as root, DeltaV, or backup via hardcoded credentials. NOTE: this is different from CVE-2014-2350. | |||||
CVE-2022-29960 | 1 Emerson | 1 Openbsi | 2024-02-13 | N/A | 5.5 MEDIUM |
Emerson OpenBSI through 2022-04-29 uses weak cryptography. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. DES with hardcoded cryptographic keys is used for protection of certain system credentials, engineering files, and sensitive utilities. | |||||
CVE-2022-29953 | 1 Bakerhughes | 8 Bently Nevada 3701\/40, Bently Nevada 3701\/40 Firmware, Bently Nevada 3701\/44 and 5 more | 2024-02-13 | N/A | 9.8 CRITICAL |
The Bently Nevada 3700 series of condition monitoring equipment through 2022-04-29 has a maintenance interface on port 4001/TCP with undocumented, hardcoded credentials. An attacker capable of connecting to this interface can thus trivially take over its functionality. | |||||
CVE-2022-30997 | 1 Yokogawa | 4 Stardom Fcj, Stardom Fcj Firmware, Stardom Fcn and 1 more | 2024-02-13 | 9.0 HIGH | 7.2 HIGH |
Use of hard-coded credentials vulnerability exists in STARDOM FCN Controller and FCJ Controller R4.10 to R4.31, which may allow an attacker with an administrative privilege to read/change configuration settings or update the controller with tampered firmware. |