Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-798 (使用硬编码的凭证) — Vulnerability Class 559

559 vulnerabilities classified as CWE-798 (使用硬编码的凭证). AI Chinese analysis included.

CWE-798 represents a critical security weakness where authentication mechanisms rely on static, embedded credentials rather than dynamic verification. This flaw typically manifests as default administrative accounts with simple, hard-coded passwords or cryptographic keys stored directly within the source code or configuration files. Attackers exploit this vulnerability by scanning for these predictable credentials, gaining immediate, unauthorized access to sensitive systems without needing to bypass complex security controls. To mitigate this risk, developers must eliminate static secrets entirely, implementing robust credential management solutions such as secure vaults, environment variables, or hardware security modules. Additionally, enforcing strong password policies, regular key rotation, and multi-factor authentication ensures that access rights are dynamic and secure, significantly reducing the attack surface against unauthorized entry.

MITRE CWE Description
The product contains hard-coded credentials, such as a password or cryptographic key. There are two main variations: Inbound: the product contains an authentication mechanism that checks the input credentials against a hard-coded set of credentials. In this variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the product. It can also be difficult for the administrator to detect. Outbound: the product connects to another system or component, and it contains hard-coded credentials for connecting to that component. This variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password that can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end product.
Common Consequences (2)
Access ControlBypass Protection Mechanism
If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question. Any user of the product that hard-codes passwords may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extracti…
Integrity, Confidentiality, Availability, Access Control, OtherRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Other
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of thi…
Mitigations (5)
Architecture and DesignFor outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as …
Architecture and DesignFor inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Architecture and DesignIf the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Architecture and DesignFor inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash. Use ra…
Architecture and DesignFor front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords or keys should be limited at th…
Examples (2)
The following code uses a hard-coded password to connect to a database:
... DriverManager.getConnection(url, "scott", "tiger"); ...
Bad · Java
javap -c ConnMngr.class 22: ldc #36; //String jdbc:mysql://ixne.com/rxsql 24: ldc #38; //String scott 26: ldc #17; //String tiger
Attack
The following code is an example of an internal hard-coded password in the back-end:
int VerifyAdmin(char *password) { if (strcmp(password, "Mew!")) { printf("Incorrect Password!\n"); return(0) } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0) } //Diagnostic Mode return(1); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2019-10979 Sick MSC800 信任管理问题漏洞 — MSC800 9.8 -2019-07-01
CVE-2019-6812 Schneider Electric BMX-NOR-0200H 信任管理问题漏洞 — Modicon RTU Module, BMX-NOR-0200H with firmware versions prior to V1.7 IR 19 7.2 -2019-05-22
CVE-2019-6548 GE Communicator 信任管理问题漏洞 — GE Communicator 8.1 -2019-05-09
CVE-2019-3918 Nokia Alcatel Lucent I-240W-Q GPON ONT 信任管理问题漏洞 — Alcatel Lucent I-240W-Q GPON ONT 9.8 -2019-03-05
CVE-2019-1688 Cisco Network Assurance Engine CLI Access with Default Password Vulnerability — Cisco Network Assurance Engine 6.0 -2019-02-12
CVE-2019-1675 Cisco Aironet Active Sensor Static Credentials Vulnerability — Cisco Aironet Active Sensor 7.5 -2019-02-07
CVE-2018-18998 LCDS LAquis SCADA 信任管理问题漏洞 — LCDS Laquis SCADA 9.8 -2019-02-05
CVE-2018-5560 Guardzilla All-In-One Video Security System Hard-Coded Credential — Guardzilla All-In-One Video Security System 7.5 -2019-01-31
CVE-2019-3906 IDenticard Systems Identicard Premisys 信任管理问题漏洞 — Premisys Identicard 3.1.190 8.8 -2019-01-18
CVE-2019-3907 IDenticard Systems Identicard Premisys 加密问题漏洞 — Premisys Identicard 3.1.190 7.5 -2019-01-18
CVE-2019-0020 Juniper ATP: Hard coded credentials used in Web Collector — Juniper ATP 9.8 -2019-01-15
CVE-2019-0022 Juniper ATP: Two hard coded credentials sharing the same password give an attacker the ability to take control of any installation of the software. — Juniper ATP 9.8 -2019-01-15
CVE-2018-15720 Logitech Harmony Hub 安全漏洞 — Logitech Harmony Hub 9.8 -2018-12-20
CVE-2018-15439 Cisco Small Business Switches Privileged Access Vulnerability — Cisco Small Business 300 Series Managed Switches 9.8 -2018-11-08
CVE-2018-17894 NUUO CMS 安全漏洞 — NUUO CMS 9.8 -2018-10-12
CVE-2018-17896 多款Yokogawa产品安全漏洞 — STARDOM Controllers FCJ,FCN-100,FCN-RTU, FCN-500 9.8 -2018-10-12
CVE-2018-5399 The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running and is configured with a hard-coded credentials — DCU-210E 9.8 -2018-10-08
CVE-2018-15427 Cisco Video Surveillance Manager Appliance Default Password Vulnerability — Cisco Video Surveillance Manager 9.8 -2018-10-05
CVE-2018-14801 多款Philips产品安全漏洞 — PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs 5.8 -2018-08-22
CVE-2017-13100 DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption — The Moron Test 7.5 -2018-08-15
CVE-2017-13101 Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption — musical.ly 7.5 -2018-08-15
CVE-2017-13102 Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS application uses a hard-coded key for encryption — Asphalt Xtreme: Offroad Rally Racing 7.5 -2018-08-15
CVE-2017-13104 Uber Technologies, Inc. UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS application uses a hard-coded key for encryption — UberEATS: Uber for Food Delivery 7.5 -2018-08-15
CVE-2017-13106 Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption — CM Launcher 3D - Theme, wallpaper, Secure, Efficient 7.5 -2018-08-15
CVE-2017-13107 Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption — Live.me 7.5 -2018-08-15
CVE-2017-13108 DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption — Security Antivirus, Anti-hacking & Cleaner 7.5 -2018-08-15
CVE-2018-10592 多款Yokogawa产品安全漏洞 — STARDOM FCJ Controllers 9.8 -2018-07-31
CVE-2018-10898 openstack-tripleo-heat-templates 安全漏洞 — openstack-tripleo-heat-templates 9.8 -2018-07-30
CVE-2018-0375 Cisco Policy Suite Cluster Manager 安全漏洞 — Cisco Policy Suite unknown 9.8 -2018-07-18
CVE-2016-9495 Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, uses hard coded credentials — HN7740S 8.8 -2018-07-13

Vulnerabilities classified as CWE-798 (使用硬编码的凭证) represent 559 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.