Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-259 (使用硬编码的口令) — Vulnerability Class 119

119 vulnerabilities classified as CWE-259 (使用硬编码的口令). AI Chinese analysis included.

CWE-259 represents a critical security weakness where software embeds static credentials directly into its source code or configuration for both inbound authentication and outbound communications. Attackers typically exploit this vulnerability by reverse-engineering the application to extract these hardcoded passwords, granting them unauthorized access to sensitive systems or enabling them to impersonate legitimate services during external interactions. This bypasses standard authentication controls, often leading to complete system compromise or data exfiltration. To mitigate this risk, developers must avoid embedding secrets in code entirely. Instead, they should implement robust credential management solutions, such as using secure key vaults, environment variables, or hardware security modules. These approaches ensure that sensitive authentication data remains dynamic, encrypted, and isolated from the application logic, significantly reducing the attack surface and preventing accidental exposure through version control systems or decompiled binaries.

MITRE CWE Description
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. There are two main variations of a hard-coded password: Inbound: the product contains an authentication mechanism that checks for a hard-coded password. Outbound: the product connects to another system or component, and it contains a hard-coded password for connecting to that component.
Common Consequences (2)
Access ControlGain Privileges or Assume Identity
If hard-coded passwords are used, it is almost certain that malicious users can gain access through the account in question.
Access ControlGain Privileges or Assume Identity, Hide Activities, Reduce Maintainability
A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.
Mitigations (5)
Architecture and DesignFor outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Architecture and DesignFor inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Architecture and DesignPerform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Architecture and DesignFor inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. Us…
Architecture and DesignFor front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords used should be limited at the back end…
Examples (2)
The following code uses a hard-coded password to connect to a database:
... DriverManager.getConnection(url, "scott", "tiger"); ...
Bad · Java
javap -c ConnMngr.class 22: ldc #36; //String jdbc:mysql://ixne.com/rxsql 24: ldc #38; //String scott 26: ldc #17; //String tiger
Attack
The following code is an example of an internal hard-coded password in the back-end:
int VerifyAdmin(char *password) { if (strcmp(password, "Mew!")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0); } //Diagnostic Mode return(1); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-26388 Use of Hard-Coded Password Vulnerability in ELI Electrocardiograph Devices — ELI 380 Resting Electrocardiograph 6.4 Medium2025-02-07
CVE-2024-4996 Hardcoded Password in Wapro ERP Desktop — Wapro ERP Desktop 7.5 -2024-12-18
CVE-2024-11026 Intelligent Apps Freenow App Keystore SSL.java hard-coded password — Freenow App 3.7 Low2024-11-08
CVE-2024-20412 Cisco Firepower Threat Defense 安全漏洞 — Cisco Firepower Threat Defense Software 9.3 Critical2024-10-23
CVE-2024-43423 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE Use of Hard-coded Password — ProGauge MAGLINK LX CONSOLE 9.8 Critical2024-09-24
CVE-2024-8580 TOTOLINK AC1200 T8 shadow.sample hard-coded password — AC1200 T8 8.1 High2024-09-08
CVE-2024-39585 Dell SmartFabric OS10 安全漏洞 — SmartFabric OS10 Software 7.9 High2024-09-06
CVE-2024-7332 TOTOLINK CP450 Telnet Service product.ini hard-coded password — CP450 9.8 Critical2024-08-01
CVE-2024-7216 TOTOLINK LR1200 shadow.sample hard-coded password — LR1200 2.6 Low2024-07-30
CVE-2024-7170 TOTOLINK A3000RU product.ini hard-coded password — A3000RU 3.5 Low2024-07-28
CVE-2024-7159 TOTOLINK A3600R Telnet Service product.ini hard-coded password — A3600R 5.5 Medium2024-07-28
CVE-2024-7155 TOTOLINK A3300R shadow.sample hard-coded password — A3300R 2.5 Low2024-07-28
CVE-2023-46685 LevelOne WBR-6013 安全漏洞 — WBR-6013 9.8 Critical2024-07-08
CVE-2024-4708 mySCADA myPRO Use of Hard-coded Password — myPRO 9.8 Critical2024-07-02
CVE-2024-5275 Hard-coded password in FileCatalyst Direct 3.8.10 Build 138 TransferAgent (and earlier) and FileCatalyst Workflow 5.1.6 Build 130 (and earlier) — FileCatalyst Direct 7.8 High2024-06-18
CVE-2024-27164 Hardcoded credentials — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.1 High2024-06-14
CVE-2024-28023 Hitachi FOXMAN-UN 安全漏洞 — FOXMAN-UN 5.7 Medium2024-06-11
CVE-2024-3700 Hardcoded password in Estomed Sp. z o.o. Simple Care software — Simple Care 7.5 -2024-06-10
CVE-2024-3699 Hardcoded password in drEryk Gabinet — drEryk Gabinet 7.5 -2024-06-10
CVE-2024-1228 Hardcoded password in Eurosoft Przychodnia — Eurosoft Przychodnia 7.5 -2024-06-10
CVE-2024-2420 LenelS2 NetBox Hardcoded Credentials — NetBox 9.8AICriticalAI2024-05-30
CVE-2024-2038 Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.22.6 - Hardcoded Credentials — Atarim – Visual Feedback, Review & AI Collaboration 7.5 High2024-05-23
CVE-2024-33625 CyberPower PowerPanel business Use of Hard-coded Password — PowerPanel business 9.8 Critical2024-05-15
CVE-2024-34025 CyberPower PowerPanel business Use of Hard-coded Password — PowerPanel business 9.8 Critical2024-05-15
CVE-2024-32741 Siemens SIMATIC CN 4100 安全漏洞 — SIMATIC CN 4100 10.0 Critical2024-05-14
CVE-2023-51629 D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability — DCS-8300LHV2 8.8 -2024-05-03
CVE-2023-32145 D-Link DAP-1360 Hardcoded Credentials Authentication Bypass Vulnerability — DAP-1360 8.8 -2024-05-03
CVE-2024-29011 SonicWALL GMS 安全漏洞 — GMS 7.5 High2024-05-01
CVE-2024-21990 Default Privileged Account Credentials Vulnerability in ONTAP Select Deploy administration utility — ONTAP Select Deploy administration utility 5.4 Medium2024-04-17
CVE-2024-28010 NEC Corporation Aterm 安全漏洞 — WG1800HP4 6.8AIMediumAI2024-03-28

Vulnerabilities classified as CWE-259 (使用硬编码的口令) represent 119 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.