CVEs classified under CWE-259, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2024-32741 — CVSS 10.0 (critical): A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains hard coded password which is…
CVE-2014-2363 — CVSS 10.0 (critical): Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login…
CVE-2012-5862 — CVSS 10.0 (critical): These Sinapsi devices store hard-coded passwords in the PHP file of the device. By using the hard-coded passwords in the device, attackers…
CVE-2025-20286 — CVSS 9.9 (critical): A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity…
CVE-2026-35905 — CVSS 9.8 (critical): T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access…
CVE-2026-7251 — CVSS 9.8 (critical): Eppendorf BioFlo 320 is vulnerable due to VNC server using a hard-coded password. If a remote attacker knows the network address of any…
CVE-2025-59388 — CVSS 9.8 (critical): A use of hard-coded password vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the…
CVE-2025-70041 — CVSS 9.8 (critical): An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.
CVE-2026-25753 — CVSS 9.8 (critical): PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static…
CVE-2025-15111 — CVSS 9.8 (critical): Ksenia Security lares (legacy model) version 1.6 contains a default credentials vulnerability that allows unauthorized attackers to gain…
CVE-2025-11126 — CVSS 9.8 (critical): A security flaw has been discovered in Apeman ID71 218.53.203.117. This vulnerability affects unknown code of the file…
CVE-2025-8730 — CVSS 9.8 (critical): A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown…
CVE-2025-30115 — CVSS 9.8 (critical): An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Default Credentials Cannot Be Changed. It uses a fixed default…
CVE-2025-1100 — CVSS 9.8 (critical): A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an…
CVE-2024-4996 — CVSS 9.8 (critical): Use of a hard-coded password for a database administrator account created during Wapro ERP installation allows an attacker to retrieve…
CVE-2024-25825 — CVSS 9.8 (critical): FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the…
CVE-2024-42639 — CVSS 9.8 (critical): H3C GR1100-P v100R009 was discovered to use a hardcoded password in /etc/shadow, which allows attackers to log in as root.
CVE-2024-38902 — CVSS 9.8 (critical): H3C Magic R230 V100R002 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as…
CVE-2024-3700 — CVSS 9.8 (critical): Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is…
CVE-2024-3699 — CVSS 9.8 (critical): Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is…
CVE-2024-1228 — CVSS 9.8 (critical): Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is…
CVE-2024-2420 — CVSS 9.8 (critical): LenelS2 NetBox access control and event monitoring system was discovered to contain Hardcoded Credentials in versions prior to and…
CVE-2024-34025 — CVSS 9.8 (critical): CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker…
CVE-2024-33625 — CVSS 9.8 (critical): CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens…
CVE-2024-27488 — CVSS 9.8 (critical): Incorrect Access Control vulnerability in ZLMediaKit versions 1.0 through 8.0, allows remote attackers to escalate privileges and obtain…
CVE-2024-28010 — CVSS 9.8 (critical): Use of Hard-coded Password in NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2…
CVE-2023-2645 — CVSS 9.8 (critical): A vulnerability, which was classified as critical, was found in USR USR-G806 1.0.41. Affected is an unknown function of the component Web…
CVE-2021-22729 — CVSS 9.8 (critical): A CWE-259: Use of Hard-coded Password vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink…
CVE-2024-34539 — CVSS 9.4 (critical): Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server…
CVE-2021-36312 — CVSS 9.1 (critical): Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability. A remote high privileged attacker, with the…
CVE-2021-32525 — CVSS 9.1 (critical): The same hard-coded password in QSAN Storage Manager's in the firmware allows remote attackers to access the control interface with the…
CVE-2014-5405 — CVSS 9.0 (critical): Hospira MedNet before 6.1 uses a hardcoded cleartext password to control SQL database authorization, which allows remote authenticated…
CVE-2026-22055 — CVSS 8.8 (high): Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to…
CVE-2026-22054 — CVSS 8.8 (high): Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to…
CVE-2026-4475 — CVSS 8.8 (high): A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the…
CVE-2026-2616 — CVSS 8.8 (high): A vulnerability has been found in Beetel 777VR1 up to 01.00.09. The impacted element is an unknown function of the component Web Management…
CVE-2025-14126 — CVSS 8.8 (high): A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web…
CVE-2025-44955 — CVSS 8.8 (high): RUCKUS Network Director (RND) before 4.5 allows jailed users to obtain root access vis a weak, hardcoded password.
CVE-2025-30106 — CVSS 8.8 (high): On IROAD v9 devices, the dashcam has hardcoded default credentials ("qwertyuiop") that cannot be changed by the user. This allows an…
CVE-2024-37644 — CVSS 8.8 (high): TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows…
CVE-2024-35395 — CVSS 8.8 (high): TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows…
CVE-2024-34211 — CVSS 8.8 (high): TOTOLINK CP450 v4.1.0cu.747_B20191224 was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows…
CVE-2023-49963 — CVSS 8.8 (high): DYMO LabelWriter Print Server through 2.366 contains a backdoor hard-coded password that could allow an attacker to take control.
CVE-2024-28066 — CVSS 8.8 (high): In Unify CP IP Phone firmware 1.10.4.3, Weak Credentials are used (a hardcoded root password).
CVE-2025-2402 — CVSS 8.6 (high): A hard-coded, non-random password for the object store (minio) of KNIME Business Hub in all versions except the ones listed below allows an…
CVE-2025-3920: A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials…
CVE-2025-70802 — CVSS 8.4 (high): Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows…