目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-259 使用硬编码的口令 类漏洞列表 119

CWE-259 使用硬编码的口令 类弱点 119 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-259 指软件在入站认证或出站通信中硬编码密码的漏洞。攻击者常通过逆向工程提取源码中的明文凭证,进而伪装合法用户或横向渗透外部系统。开发者应避免此类做法,改用环境变量、密钥管理服务或配置文件存储敏感信息,确保密码动态生成且与代码分离,从而降低凭证泄露风险。

MITRE CWE 官方描述
CWE:CWE-259 使用硬编码密码 (Use of Hard-coded Password) 英文:该产品包含一个硬编码密码 (hard-coded password),用于其自身的入站认证 (inbound authentication) 或与外部组件进行出站通信 (outbound communication)。 硬编码密码 (hard-coded password) 主要有两种变体:入站 (Inbound):该产品包含一种认证机制,用于检查硬编码密码 (hard-coded password)。出站 (Outbound):该产品连接到另一个系统或组件,并包含用于连接该组件的硬编码密码 (hard-coded password)。
常见影响 (2)
Access ControlGain Privileges or Assume Identity
If hard-coded passwords are used, it is almost certain that malicious users can gain access through the account in question.
Access ControlGain Privileges or Assume Identity, Hide Activities, Reduce Maintainability
A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.
缓解措施 (5)
Architecture and DesignFor outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Architecture and DesignFor inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Architecture and DesignPerform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Architecture and DesignFor inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. Us…
Architecture and DesignFor front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords used should be limited at the back end…
代码示例 (2)
The following code uses a hard-coded password to connect to a database:
... DriverManager.getConnection(url, "scott", "tiger"); ...
Bad · Java
javap -c ConnMngr.class 22: ldc #36; //String jdbc:mysql://ixne.com/rxsql 24: ldc #38; //String scott 26: ldc #17; //String tiger
Attack
The following code is an example of an internal hard-coded password in the back-end:
int VerifyAdmin(char *password) { if (strcmp(password, "Mew!")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0); } //Diagnostic Mode return(1); }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2025-57175 Siklu EtherHaul 安全漏洞 — EtherHaul 8010 6.4 Medium2026-04-08
CVE-2025-7741 Yokogawa CENTUM VP 安全漏洞 — CENTUM VP 9.8AICriticalAI2026-03-30
CVE-2025-59388 QNAP Systems Hyper Data Protector 安全漏洞 — Hyper Data Protector 9.8AICriticalAI2026-03-12
CVE-2026-25753 PlaciPy 安全漏洞 — assessment-placipy 9.8AICriticalAI2026-02-06
CVE-2025-15111 Ksenia Security Lares 4.0 Home Automation 信任管理问题漏洞 — lares 9.8 Critical2025-12-30
CVE-2025-12676 WordPress plugin KiotViet Sync 安全漏洞 — KiotViet Sync 5.3 Medium2025-11-05
CVE-2025-11666 Tenda RP3 Pro 安全漏洞 — RP3 Pro 6.7 Medium2025-10-13
CVE-2025-11649 Tomofun Furbo 360和Tomofun Furbo Mini 安全漏洞 — Furbo 360 7.0 High2025-10-12
CVE-2025-11284 Zytec Central Authentication Service 安全漏洞 — Central Authentication Service 7.3 High2025-10-05
CVE-2025-54754 Cognex多款产品 安全漏洞 — In-Sight 2000 series 8.0 High2025-09-18
CVE-2025-9725 Cudy LT500E 安全漏洞 — LT500E 2.5 Low2025-08-31
CVE-2025-58081 DOS & CO SS1 安全漏洞 — SS1 7.5 -2025-08-28
CVE-2025-57788 Commvault 安全漏洞 — CommCell 9.4 -2025-08-20
CVE-2025-44955 RUCKUS Network Director 安全漏洞 — Network Director 8.8 High2025-08-04
CVE-2025-36609 Dell SmartFabric OS10 Software 安全漏洞 — SmartFabric OS10 Software 2.5 Low2025-07-30
CVE-2025-7577 Teledyne FLIR FB-Series O和Teledyne FLIR FH-Series ID 安全漏洞 — FLIR FB-Series O 3.7 Low2025-07-14
CVE-2025-7453 ZPan 安全漏洞 — zpan 3.7 Low2025-07-11
CVE-2025-3920 SUR-FBD CMMS 安全漏洞 — SUR-FBD CMMS 7.8AIHighAI2025-07-07
CVE-2025-7080 Jank 安全漏洞 — Jank 3.7 Low2025-07-06
CVE-2025-7079 bluebell-plus 安全漏洞 — bluebell-plus 3.7 Low2025-07-06
CVE-2025-6932 D-Link DCS-7517 安全漏洞 — DCS-7517 3.7 Low2025-06-30
CVE-2025-47821 Flock Safety Gunshot Detection 安全漏洞 — Gunshot Detection devices 2.2 Low2025-06-27
CVE-2025-47823 Flock Safety LPR 安全漏洞 — License Plate Reader 2.2 Low2025-06-27
CVE-2025-47818 Flock Safety Gunshot Detection 安全漏洞 — Gunshot Detection devices 2.2 Low2025-06-27
CVE-2025-6139 TOTOLINK T10 安全漏洞 — T10 3.9 Low2025-06-16
CVE-2025-20286 Cisco Identity Services Engine 安全漏洞 — Cisco Identity Services Engine Software 9.9 Critical2025-06-04
CVE-2025-2402 KNIME Business Hub 安全漏洞 — KNIME Business Hub 9.8 -2025-03-31
CVE-2025-2555 Audi Universal Traffic Recorder App 安全漏洞 — Universal Traffic Recorder App 2.9 Low2025-03-20
CVE-2024-48831 Dell SmartFabric OS10 安全漏洞 — SmartFabric OS10 Software 8.4 High2025-03-17
CVE-2025-1100 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 9.8 Critical2025-02-12

CWE-259(使用硬编码的口令) 是常见的弱点类别,本平台收录该类弱点关联的 119 条 CVE 漏洞。