Total
1619 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22770 | 1 Hitron | 2 Hvr-16781, Hvr-16781 Firmware | 2025-12-31 | N/A | 7.4 HIGH |
|
Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
|
|||||
| CVE-2024-22768 | 1 Hitron | 2 Hvr-4781, Hvr-4781 Firmware | 2025-12-31 | N/A | 7.4 HIGH |
|
Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
|
|||||
| CVE-2024-22772 | 1 Hitron | 2 Lguvr-8h, Lguvr-8h Firmware | 2025-12-31 | N/A | 7.4 HIGH |
|
Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
|
|||||
| CVE-2024-22769 | 1 Hitron | 2 Hvr-8781, Hvr-8781 Firmware | 2025-12-31 | N/A | 7.4 HIGH |
|
Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
|
|||||
| CVE-2024-22771 | 1 Hitron | 2 Lguvr-4h, Lguvr-4h Firmware | 2025-12-31 | N/A | 7.4 HIGH |
|
Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
|
|||||
| CVE-2024-23842 | 1 Hitron | 2 Lguvr-16h, Lguvr-16h Firmware | 2025-12-31 | N/A | 7.4 HIGH |
|
Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
|
|||||
| CVE-2024-39582 | 1 Dell | 1 Insightiq | 2025-12-31 | N/A | 2.3 LOW |
|
Dell PowerScale InsightIQ, version 5.0, contain a Use of hard coded Credentials vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
|
|||||
| CVE-2025-9806 | 1 Tenda | 2 F1202, F1202 Firmware | 2025-12-31 | 0.8 LOW | 1.9 LOW |
|
A vulnerability was determined in Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20. Impacted is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation with the input Fireitup causes hard-coded credentials. The attack can only be executed locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2025-67809 | 1 Zimbra | 1 Collaboration | 2025-12-30 | N/A | 4.7 MEDIUM |
|
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approvin ...
Show More |
|||||
| CVE-2025-34509 | 1 Sitecore | 4 Experience Commerce, Experience Manager, Experience Platform and 1 more | 2025-12-27 | N/A | 7.5 HIGH |
|
Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.
|
|||||
| CVE-2025-35452 | 4 Multicam-systems, Ptzoptics, Smtav and 1 more | 121 Mcamii Ptz, Mcamii Ptz Firmware, Ndi Fixed Camera and 118 more | 2025-12-23 | N/A | 9.8 CRITICAL |
|
PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface.
|
|||||
| CVE-2025-41696 | 1 Phoenixcontact | 137 Fl Nat 2008, Fl Nat 2008 Firmware, Fl Nat 2208 and 134 more | 2025-12-19 | N/A | 4.6 MEDIUM |
|
An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device.
|
|||||
| CVE-2025-14096 | 2025-12-18 | N/A | 8.4 HIGH | ||
|
A vulnerability exists in multiple Radiometer products that allow an attacker with physical access to the analyzer possibility to extract credential information. The vulnerability is due to a weakness in the design and insufficient credential protection in operating system.
Other related CVE's are CVE-2025-14095 & CVE-2025-14097.
Affected customers have been informed about this vulnerability. This CVE is being published to provide transparency.
Required Configuration for Exposure:
Att ...
Show More |
|||||
| CVE-2025-29268 | 1 Allnet | 2 All-rut22gw, All-rut22gw Firmware | 2025-12-16 | N/A | 9.8 CRITICAL |
|
ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library.
|
|||||
| CVE-2025-14611 | 1 Gladinet | 2 Centrestack, Triofox | 2025-12-16 | N/A | 9.8 CRITICAL |
|
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
|
|||||
| CVE-2025-54947 | 1 Apache | 1 Streampark | 2025-12-15 | N/A | 9.8 CRITICAL |
|
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.
This issu ...
Show More |
|||||
| CVE-2025-13954 | 2025-12-12 | N/A | N/A | ||
|
Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI
|
|||||
| CVE-2025-65730 | 1 Pommee | 1 Goaway | 2025-12-11 | N/A | 8.8 HIGH |
|
Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication.
|
|||||
| CVE-2025-40938 | 1 Siemens | 2 Simatic Cn 4100, Simatic Cn 4100 Firmware | 2025-12-10 | N/A | 8.1 HIGH |
|
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device stores sensitive information in the firmware. This could allow an attacker to access and misuse this information, potentially impacting the device’s confidentiality, integrity, and availability.
|
|||||
| CVE-2025-2538 | 1 Esri | 1 Portal For Arcgis | 2025-12-10 | N/A | 9.8 CRITICAL |
|
A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.
|
|||||
| CVE-2024-9486 | 1 Kubernetes-sigs | 1 Image Builder | 2025-12-08 | N/A | 9.8 CRITICAL |
|
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its ...
Show More |
|||||
| CVE-2024-9594 | 1 Kubernetes-sigs | 1 Image Builder | 2025-12-08 | N/A | 6.3 MEDIUM |
|
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Because these images were vulnerable during the image build proce ...
Show More |
|||||
| CVE-2022-27600 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2025-12-08 | N/A | 6.8 MEDIUM |
|
An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2277 and later
QTS 4.5.4.2280 build 20230112 and later
QuTS hero h5.0.1.2277 build 20230112 and later
QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.1.2374 and later
|
|||||
| CVE-2025-66237 | 2025-12-08 | N/A | 6.7 MEDIUM | ||
|
DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.
|
|||||
| CVE-2025-14126 | 2025-12-08 | 8.3 HIGH | 8.8 HIGH | ||
|
A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-54341 | 1 Desktopalert | 1 Pingalert Application Server | 2025-12-05 | N/A | 5.3 MEDIUM |
|
A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values.
|
|||||
| CVE-2025-66454 | 2025-12-04 | N/A | 6.5 MEDIUM | ||
|
Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints—including tool enumeration and tool invocation—without credentials. This vulnerabili ...
Show More |
|||||
| CVE-2024-45656 | 1 Ibm | 56 Ess 5000 \(5105-22e\), Ess 5000 \(5105-22e\) Firmware, Power System E1080 \(9080-hex\) and 53 more | 2025-12-03 | N/A | 9.8 CRITICAL |
|
IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP.
|
|||||
| CVE-2024-23687 | 1 Openlibraryfoundation | 1 Mod-data-export-spring | 2025-11-29 | N/A | 9.1 CRITICAL |
|
Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.
|
|||||
| CVE-2024-23685 | 1 Openlibraryfoundation | 1 Mod-remote-storage | 2025-11-29 | N/A | 5.3 MEDIUM |
|
Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types.
|
|||||
| CVE-2025-63433 | 1 Xtooltech | 1 Xtool Anyscan | 2025-11-28 | N/A | 4.6 MEDIUM |
|
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.
|
|||||
| CVE-2018-25126 | 2025-11-25 | N/A | N/A | ||
|
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endp ...
Show More |
|||||
| CVE-2025-34034 | 1 5vtechnologies | 1 Blue Angel Software Suite | 2025-11-20 | N/A | 8.8 HIGH |
|
A hardcoded credential vulnerability exists in the Blue Angel Software Suite deployed on embedded Linux systems. The application contains multiple known default and hardcoded user accounts that are not disclosed in public documentation. These accounts allow unauthenticated or low-privilege attackers to gain administrative access to the device’s web interface. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-26 UTC.
|
|||||
| CVE-2025-59669 | 1 Fortinet | 1 Fortiweb | 2025-11-20 | N/A | 5.3 MEDIUM |
|
A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with shell access to the device to connect to redis service and access its data
|
|||||
| CVE-2025-13252 | 2025-11-18 | 7.5 HIGH | 7.3 HIGH | ||
|
A vulnerability was found in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Affected by this issue is some unknown functionality of the component RSA/OAuth2/Database. The manipulation results in hard-coded credentials. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable.
|
|||||
| CVE-2025-64766 | 2025-11-18 | N/A | 5.3 MEDIUM | ||
|
NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an existing revision ID could use this secret to obtain a document. In practice, an arbitrary revision ID should be hard to obtain. The primary impact is l ...
Show More |
|||||
| CVE-2025-26398 | 1 Solarwinds | 1 Database Performance Analyzer | 2025-11-17 | N/A | 5.6 MEDIUM |
|
SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This vulnerability requires additional software not installed by default, local access to the server and administrator level privileges on the host.
|
|||||
| CVE-2025-42890 | 2025-11-12 | N/A | 10.0 CRITICAL | ||
|
SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system.
|
|||||
| CVE-2025-33186 | 2025-11-12 | N/A | 8.8 HIGH | ||
|
NVIDIA AIStore contains a vulnerability in AuthN. A successful exploit of this vulnerability might lead to escalation of privileges, information disclosure, and data tampering.
|
|||||
| CVE-2021-44207 | 1 Acclaimsystems | 1 Usaherds | 2025-11-10 | 6.8 MEDIUM | 8.1 HIGH |
|
Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials.
|
|||||