Search Results (1732 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-28751 1 Ifm 2 Smart Plc Ac14xx Firmware, Smart Plc Ac4xxs Firmware 2026-04-15 9.1 Critical
An high privileged remote attacker can enable telnet access that accepts hardcoded credentials.
CVE-2024-36496 1 Faronics 1 Winselect 2026-04-15 7.5 High
The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters.
CVE-2024-53484 1 Ever 1 Traduora 2026-04-15 8.8 High
Ever Traduora 0.20.0 and below is vulnerable to Privilege Escalation due to the use of a hard-coded JWT signing key.
CVE-2025-2394 2026-04-15 N/A
Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
CVE-2025-46273 2026-04-15 9.8 Critical
UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.
CVE-2024-2161 2026-04-15 9.8 Critical
Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
CVE-2025-44643 1 Draytek 3 Ap903, Ap912c, Ap918r 2026-04-15 8.6 High
Certain Draytek products are affected by Insecure Configuration. This affects AP903 v1.4.18 and AP912C v1.4.9 and AP918R v1.4.9. The setting of the password property in the ripd.conf configuration file sets a hardcoded weak password, posing a security risk. An attacker with network access could exploit this to gain unauthorized control over the routing daemon, potentially altering network routes or intercepting traffic.
CVE-2025-14126 1 Tozed 2 Zlt M30s, Zlt M30s Pro 2026-04-15 8.8 High
A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-41722 1 Sauter 2 Ey-modulo 5 Devices, Modulo 6 Devices 2026-04-15 7.5 High
The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.
CVE-2024-57790 2026-04-15 5.4 Medium
IXON B.V. IXrouter IX2400 (Industrial Edge Gateway) v3.0 was discovered to contain hardcoded root credentials stored in the non-volatile flash memory. This vulnerability allows physically proximate attackers to gain root access via UART or SSH.
CVE-2025-3321 2026-04-15 N/A
A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server.
CVE-2025-4633 2026-04-15 6.5 Medium
Default credentials were present in the web portal for Airpointer 2.4.107-2, allowing an unauthenticated malicious actor to log in via the web portal
CVE-2024-6045 1 Dlink 15 E15 Firmware, E30 Firmware, G403 Firmware and 12 more 2026-04-15 8.8 High
Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained from analyzing the firmware.
CVE-2025-26410 2026-04-15 9.8 Critical
The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface. The backdoor user has been removed in firmware BSP >= 6.4.1.
CVE-2025-7503 2026-04-15 N/A
An OEM IP camera manufactured by Shenzhen Liandian Communication Technology LTD exposes a Telnet service (port 23) with undocumented, default credentials. The Telnet service is enabled by default and is not disclosed or configurable via the device’s web interface or user manual. An attacker with network access can authenticate using default credentials and gain root-level shell access to the device. The affected firmware version is AppFHE1_V1.0.6.0 (Kernel: KerFHE1_PTZ_WIFI_V3.1.1, Hardware: HwFHE1_WF6_PTZ_WIFI_20201218). No official fix or firmware update is available, and the vendor could not be contacted. This vulnerability allows for remote code execution and privilege escalation.
CVE-2019-25322 1 Heatmiser 1 Heatmiser Netmonitor 2026-04-15 7.5 High
Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields.
CVE-2025-55047 2026-04-15 8.4 High
CWE-798 Use of Hard-coded Credentials
CVE-2025-57577 1 H3c 1 R365v300r004 2026-04-15 8 High
An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. NOTE: the Supplier's position is that their "product lines enforce or clearly prompt users to change any initial credentials upon first use. At most, this would be a case of misconfiguration if an administrator deliberately ignored the prompts, which is outside the scope of CVE definitions."
CVE-2024-3130 2026-04-15 5.7 Medium
Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app
CVE-2025-13252 1 Shsuishang 1 Shopsuite Modulithshop 2026-04-15 7.3 High
A vulnerability was found in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Affected by this issue is some unknown functionality of the component RSA/OAuth2/Database. The manipulation results in hard-coded credentials. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable.