Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-259 (使用硬编码的口令) — Vulnerability Class 119

119 vulnerabilities classified as CWE-259 (使用硬编码的口令). AI Chinese analysis included.

CWE-259 represents a critical security weakness where software embeds static credentials directly into its source code or configuration for both inbound authentication and outbound communications. Attackers typically exploit this vulnerability by reverse-engineering the application to extract these hardcoded passwords, granting them unauthorized access to sensitive systems or enabling them to impersonate legitimate services during external interactions. This bypasses standard authentication controls, often leading to complete system compromise or data exfiltration. To mitigate this risk, developers must avoid embedding secrets in code entirely. Instead, they should implement robust credential management solutions, such as using secure key vaults, environment variables, or hardware security modules. These approaches ensure that sensitive authentication data remains dynamic, encrypted, and isolated from the application logic, significantly reducing the attack surface and preventing accidental exposure through version control systems or decompiled binaries.

MITRE CWE Description
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. There are two main variations of a hard-coded password: Inbound: the product contains an authentication mechanism that checks for a hard-coded password. Outbound: the product connects to another system or component, and it contains a hard-coded password for connecting to that component.
Common Consequences (2)
Access ControlGain Privileges or Assume Identity
If hard-coded passwords are used, it is almost certain that malicious users can gain access through the account in question.
Access ControlGain Privileges or Assume Identity, Hide Activities, Reduce Maintainability
A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.
Mitigations (5)
Architecture and DesignFor outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Architecture and DesignFor inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Architecture and DesignPerform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Architecture and DesignFor inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. Us…
Architecture and DesignFor front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords used should be limited at the back end…
Examples (2)
The following code uses a hard-coded password to connect to a database:
... DriverManager.getConnection(url, "scott", "tiger"); ...
Bad · Java
javap -c ConnMngr.class 22: ldc #36; //String jdbc:mysql://ixne.com/rxsql 24: ldc #38; //String scott 26: ldc #17; //String tiger
Attack
The following code is an example of an internal hard-coded password in the back-end:
int VerifyAdmin(char *password) { if (strcmp(password, "Mew!")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0); } //Diagnostic Mode return(1); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-57175 Siklu EtherHaul 安全漏洞 — EtherHaul 8010 6.4 Medium2026-04-08
CVE-2025-7741 Yokogawa CENTUM VP 安全漏洞 — CENTUM VP 9.8AICriticalAI2026-03-30
CVE-2025-59388 Hyper Data Protector — Hyper Data Protector 9.8AICriticalAI2026-03-12
CVE-2026-25753 PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover) — assessment-placipy 9.8AICriticalAI2026-02-06
CVE-2025-15111 Ksenia Security lares Home Automation 1.6 Default Credentials Vulnerability — lares 9.8 Critical2025-12-30
CVE-2025-12676 KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass — KiotViet Sync 5.3 Medium2025-11-05
CVE-2025-11666 Tenda RP3 Pro Firmware Update force_upgrade.sh hard-coded password — RP3 Pro 6.7 Medium2025-10-13
CVE-2025-11649 Tomofun Furbo 360/Furbo Mini Root Account hard-coded password — Furbo 360 7.0 High2025-10-12
CVE-2025-11284 Zytec Dalian Zhuoyun Technology Central Authentication Service HTTP Header git hard-coded password — Central Authentication Service 7.3 High2025-10-05
CVE-2025-54754 Cognex In-Sight Explorer and In-Sight Camera Firmware Use of Hard-coded Password — In-Sight 2000 series 8.0 High2025-09-18
CVE-2025-9725 Cudy LT500E Web shadow hard-coded password — LT500E 2.5 Low2025-08-31
CVE-2025-58081 DOS & CO SS1 安全漏洞 — SS1 7.5 -2025-08-28
CVE-2025-57788 Unauthorized API Access Risk — CommCell 9.4 -2025-08-20
CVE-2025-44955 RUCKUS Network Director 安全漏洞 — Network Director 8.8 High2025-08-04
CVE-2025-36609 Dell SmartFabric OS10 Software 安全漏洞 — SmartFabric OS10 Software 2.5 Low2025-07-30
CVE-2025-7577 Teledyne FLIR FB-Series O/FLIR FH-Series ID hard-coded password — FLIR FB-Series O 3.7 Low2025-07-14
CVE-2025-7453 saltbo zpan JSON Web Token token.go NewToken hard-coded password — zpan 3.7 Low2025-07-11
CVE-2025-3920 Hard-coded Password in SUR-FBD CMMS — SUR-FBD CMMS 7.8AIHighAI2025-07-07
CVE-2025-7080 Done-0 Jank JWT Token jwt_utils.go hard-coded password — Jank 3.7 Low2025-07-06
CVE-2025-7079 mao888 bluebell-plus JWT Token jwt.go hard-coded password — bluebell-plus 3.7 Low2025-07-06
CVE-2025-6932 D-Link DCS-7517 Qlync Password Generation httpd g_F_n_GenPassForQlync hard-coded password — DCS-7517 3.7 Low2025-06-30
CVE-2025-47821 Flock Safety Gunshot Detection 安全漏洞 — Gunshot Detection devices 2.2 Low2025-06-27
CVE-2025-47823 Flock Safety LPR 安全漏洞 — License Plate Reader 2.2 Low2025-06-27
CVE-2025-47818 Flock Safety Gunshot Detection 安全漏洞 — Gunshot Detection devices 2.2 Low2025-06-27
CVE-2025-6139 TOTOLINK T10 shadow.sample hard-coded password — T10 3.9 Low2025-06-16
CVE-2025-20286 ISE on AWS Static Credential — Cisco Identity Services Engine Software 9.9 Critical2025-06-04
CVE-2025-2402 Hard-coded password for object store of KNIME Business Hub — KNIME Business Hub 9.8 -2025-03-31
CVE-2025-2555 Audi Universal Traffic Recorder App FTP Credentials hard-coded password — Universal Traffic Recorder App 2.9 Low2025-03-20
CVE-2024-48831 Dell SmartFabric OS10 安全漏洞 — SmartFabric OS10 Software 8.4 High2025-03-17
CVE-2025-1100 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 9.8 Critical2025-02-12

Vulnerabilities classified as CWE-259 (使用硬编码的口令) represent 119 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.