Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-259 (使用硬编码的口令) — Vulnerability Class 119

119 vulnerabilities classified as CWE-259 (使用硬编码的口令). AI Chinese analysis included.

CWE-259 represents a critical security weakness where software embeds static credentials directly into its source code or configuration for both inbound authentication and outbound communications. Attackers typically exploit this vulnerability by reverse-engineering the application to extract these hardcoded passwords, granting them unauthorized access to sensitive systems or enabling them to impersonate legitimate services during external interactions. This bypasses standard authentication controls, often leading to complete system compromise or data exfiltration. To mitigate this risk, developers must avoid embedding secrets in code entirely. Instead, they should implement robust credential management solutions, such as using secure key vaults, environment variables, or hardware security modules. These approaches ensure that sensitive authentication data remains dynamic, encrypted, and isolated from the application logic, significantly reducing the attack surface and preventing accidental exposure through version control systems or decompiled binaries.

MITRE CWE Description
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. There are two main variations of a hard-coded password: Inbound: the product contains an authentication mechanism that checks for a hard-coded password. Outbound: the product connects to another system or component, and it contains a hard-coded password for connecting to that component.
Common Consequences (2)
Access ControlGain Privileges or Assume Identity
If hard-coded passwords are used, it is almost certain that malicious users can gain access through the account in question.
Access ControlGain Privileges or Assume Identity, Hide Activities, Reduce Maintainability
A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.
Mitigations (5)
Architecture and DesignFor outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Architecture and DesignFor inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Architecture and DesignPerform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Architecture and DesignFor inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. Us…
Architecture and DesignFor front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords used should be limited at the back end…
Examples (2)
The following code uses a hard-coded password to connect to a database:
... DriverManager.getConnection(url, "scott", "tiger"); ...
Bad · Java
javap -c ConnMngr.class 22: ldc #36; //String jdbc:mysql://ixne.com/rxsql 24: ldc #38; //String scott 26: ldc #17; //String tiger
Attack
The following code is an example of an internal hard-coded password in the back-end:
int VerifyAdmin(char *password) { if (strcmp(password, "Mew!")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0); } //Diagnostic Mode return(1); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-2197 Chirp Systems Chirp Access Use of Hard-coded Password — Chirp Access 4.3 Medium2024-03-19
CVE-2024-27774 Unitronics Unistream Unilogic – Versions prior to 1.35.227 CWE-259: Use of Hard-coded Password — Unistream Unilogic 7.5 High2024-03-18
CVE-2024-26196 Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability — Microsoft Edge for Android 4.3 Medium2024-02-29
CVE-2023-50948 IBM Storage Fusion HCI information disclosure — Storage Fusion HCI 6.5 Medium2024-01-08
CVE-2023-28895 Hard-coded password for access to power controller chip memory — MIB3 Infotainment Unit 3.5 Low2023-12-01
CVE-2023-41713 SonicWALL SonicOS 信任管理问题漏洞 — SonicOS 9.8 -2023-10-17
CVE-2023-5222 Viessmann Vitogate 300 Web Management Interface vitogate.cgi isValidUser hard-coded password — Vitogate 300 6.3 Medium2023-09-27
CVE-2023-41030 Juplink RX4-1500 Hard-coded Credential Vulnerability — RX4-1500 6.3 Medium2023-09-18
CVE-2023-23771 Motorola MBTS Base Radio 信任管理问题漏洞 — MBTS Base Radio 8.4 High2023-08-29
CVE-2023-23770 Motorola MBTS Site Controller 信任管理问题漏洞 — MBTS Site Controller 9.4 Critical2023-08-29
CVE-2023-3237 OTCMS hard-coded password — OTCMS 6.3 Medium2023-06-14
CVE-2023-2061 Authentication bypass vulnerability in MELSEC iQ-R Series / iQ-F Series EtherNet/IP Modules — MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 6.2 Medium2023-06-02
CVE-2023-1944 [minikube] ssh server with default password — minikube 8.4 High2023-05-24
CVE-2023-2799 cnoa OA hard-coded password — OA 6.3 Medium2023-05-18
CVE-2023-2645 USR USR-G806 Web Management Page hard-coded password — USR-G806 9.8 Critical2023-05-11
CVE-2023-29103 Siemens SIMATIC Cloud Connect 安全漏洞 — SIMATIC Cloud Connect 7 CC712 4.3 Medium2023-05-09
CVE-2023-0808 Deye/Revolt/Bosswerk Inverter Access Point Setting hard-coded password — Inverter 3.9 Low2023-02-13
CVE-2022-45444 CVE-2022-45444 — RTLS Studio 10.0 Critical2023-01-18
CVE-2018-25069 Netis Netcore Router hard-coded password — Netcore Router 7.3 High2023-01-07
CVE-2014-125030 taoeffect Empress hard-coded password — Empress 6.3 Medium2023-01-01
CVE-2022-41653 DAIKIN SVMPC1 和 SVMPC2 信任管理问题漏洞 — SVMPC1 9.8 Critical2022-12-13
CVE-2022-29831 Mitsubishi Electric GX Works3 信任管理问题漏洞 — GX Works3 7.5 High2022-11-24
CVE-2022-29825 Mitsubishi Electric GX Works3 信任管理问题漏洞 — GX Works3 5.6 Medium2022-11-24
CVE-2022-22144 TCL LinkHub Mesh Wi-Fi 信任管理问题漏洞 — LinkHub Mesh Wifi 8.8 -2022-08-05
CVE-2017-20039 SICUNET Access Controller hard-coded password — Access Controller 9.8 Critical2022-06-11
CVE-2022-27172 InHand Networks InRouter302 信任管理问题漏洞 — InRouter302 8.8 -2022-05-12
CVE-2021-34601 Bender Charge Controller: Hardcoded Credentials in Charge Controller — CC612 9.8 Critical2022-04-27
CVE-2021-36312 Dell EMC CloudLink 安全漏洞 — CloudLink 9.1 Critical2021-11-23
CVE-2021-38456 Moxa MXview Network Management Software — MXview Network Management Software 9.8 Critical2021-10-12
CVE-2021-28813 Insufficiently Protected Credentials Vulnerability in QSW-M2116P-2T2S and QuNetSwitch — QSW-M2116P-2T2S 9.6 Critical2021-09-10

Vulnerabilities classified as CWE-259 (使用硬编码的口令) represent 119 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.