Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-259 (使用硬编码的口令) — Vulnerability Class 119

119 vulnerabilities classified as CWE-259 (使用硬编码的口令). AI Chinese analysis included.

CWE-259 represents a critical security weakness where software embeds static credentials directly into its source code or configuration for both inbound authentication and outbound communications. Attackers typically exploit this vulnerability by reverse-engineering the application to extract these hardcoded passwords, granting them unauthorized access to sensitive systems or enabling them to impersonate legitimate services during external interactions. This bypasses standard authentication controls, often leading to complete system compromise or data exfiltration. To mitigate this risk, developers must avoid embedding secrets in code entirely. Instead, they should implement robust credential management solutions, such as using secure key vaults, environment variables, or hardware security modules. These approaches ensure that sensitive authentication data remains dynamic, encrypted, and isolated from the application logic, significantly reducing the attack surface and preventing accidental exposure through version control systems or decompiled binaries.

MITRE CWE Description
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. There are two main variations of a hard-coded password: Inbound: the product contains an authentication mechanism that checks for a hard-coded password. Outbound: the product connects to another system or component, and it contains a hard-coded password for connecting to that component.
Common Consequences (2)
Access ControlGain Privileges or Assume Identity
If hard-coded passwords are used, it is almost certain that malicious users can gain access through the account in question.
Access ControlGain Privileges or Assume Identity, Hide Activities, Reduce Maintainability
A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.
Mitigations (5)
Architecture and DesignFor outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Architecture and DesignFor inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Architecture and DesignPerform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Architecture and DesignFor inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. Us…
Architecture and DesignFor front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords used should be limited at the back end…
Examples (2)
The following code uses a hard-coded password to connect to a database:
... DriverManager.getConnection(url, "scott", "tiger"); ...
Bad · Java
javap -c ConnMngr.class 22: ldc #36; //String jdbc:mysql://ixne.com/rxsql 24: ldc #38; //String scott 26: ldc #17; //String tiger
Attack
The following code is an example of an internal hard-coded password in the back-end:
int VerifyAdmin(char *password) { if (strcmp(password, "Mew!")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0); } //Diagnostic Mode return(1); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2020-5351 Dell EMC Data Protection Advisor 安全漏洞 — Data Protection Advisor 7.5 High2021-07-28
CVE-2021-22729 EVlink City、EVlink Parking 和 EVlink Smart Wallbox 安全漏洞 — EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) 9.8 -2021-07-21
CVE-2021-21818 D-Link D-LINK DIR-3040 信任管理问题漏洞 — D-Link 7.5 -2021-07-16
CVE-2021-32525 QSAN Storage Manager - Use of Hard-coded Password-2 — Storage Manager 9.1 Critical2021-07-07
CVE-2021-32521 QSAN Storage Manager, XEVO, SANOS - Use of Hard-coded Password — Storage Manager 7.3 High2021-07-07
CVE-2019-10881 Default hidden Privileged Account Vulnerability in multiple XEROX devices — AltaLink B8045/B8055/B8065/B8075/B8090 9.8 -2021-04-13
CVE-2021-27440 Grid Solutions GE Reason DR60 信任管理问题漏洞 — Reason DR60 9.8 -2021-03-25
CVE-2021-27452 Grid Solutions GE Reason DR60 信任管理问题漏洞 — MU320E 9.8 -2021-03-25
CVE-2021-27254 Netgear NETGEAR 信任管理问题漏洞 — R7800 8.8 -2021-03-05
CVE-2020-2499 Hard-coded Password Vulnerability in QES — QES 6.3 Medium2020-12-24
CVE-2020-7590 Siemens DCA Vantage Analyzer 安全漏洞 — DCA Vantage Analyzer 6.8 -2020-10-13
CVE-2020-12012 Baxter ExactaMix EM2400和EM1200 信任管理问题漏洞 — Baxter ExactaMix EM 2400 & EM 1200 7.7 -2020-06-29
CVE-2020-12016 Baxter ExactaMix EM2400和ExactaMix EM1200 信任管理问题漏洞 — Baxter ExactaMix EM 2400 & EM 1200 8.4 -2020-06-29
CVE-2020-12037 Baxter PrismaFlex 安全漏洞 — Baxter PrismaFlex and PrisMax 7.5 -2020-06-29
CVE-2020-12039 Baxter Sigma Spectrum Infusion System和Spectrum Infusion System 信任管理问题漏洞 — Baxter Sigma Spectrum Infusion Pumps 2.4 -2020-06-29
CVE-2020-12045 Baxter Spectrum WBM 信任管理问题漏洞 — Baxter Sigma Spectrum Infusion Pumps 9.8 -2020-06-29
CVE-2020-12047 Baxter Spectrum WBM 信任管理问题漏洞 — Baxter Sigma Spectrum Infusion Pumps 9.8 -2020-06-29
CVE-2019-13530 多款Philips产品信任管理问题漏洞 — Philips IntelliVue WLAN, portable patient monitors 8.8 -2019-09-12
CVE-2014-5431 Baxter SIGMA Spectrum Infusion System 安全漏洞 — SIGMA Spectrum Infusion System 6.8 -2019-03-26
CVE-2014-5434 Baxter Wireless Battery Module 安全漏洞 — SIGMA Spectrum Infusion System 9.8 -2019-03-26
CVE-2015-3953 多款Hospira产品安全漏洞 — Plum A+ Infusion System 9.8 -2019-03-25
CVE-2019-3908 IDenticard Systems Identicard Premisys 信任管理问题漏洞 — Premisys Identicard 3.1.190 6.5 -2019-01-18
CVE-2018-8870 Medtronic MyCareLink Patient Monitor Use of Hard-coded Password — 24950 MyCareLink Monitor 6.4 Medium2018-07-02
CVE-2016-9358 多款Marel产品安全漏洞 — Marel Food Processing Systems 9.8 -2017-06-30
CVE-2017-6022 BD PerformA和KLA Journal Service 信任管理问题漏洞 — BD Kiestra PerformA and KLA Journal Service 9.4 -2017-06-30
CVE-2017-6039 Phoenix Broadband PowerAgent SC3 BMS 安全漏洞 — Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller 9.8 -2017-06-02
CVE-2014-5405 Hospira MedNet Use of Hard-coded Password — MedNet 8.8 -2015-04-03
CVE-2014-2363 Morpho Itemiser 3 Hard-Coded Credential — Itemiser 3 9.8 -2014-07-26
CVE-2012-5862 Sinapsi eSolar Hard-Coded Password — eSolar 9.8 -2012-11-23

Vulnerabilities classified as CWE-259 (使用硬编码的口令) represent 119 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.