Login Sign Up

CWE-798: CWE-798

451
Total CVEs
258
Critical
145
High
8.8
Avg CVSS
1
In CISA KEV

Yearly Trend

2026
24
2025
100
2024
97
2023
66
2022
69

Top Affected Vendors

1 Ibm 19
2 Fiberhome 15
3 Dlink 14
4 Totolink 7
5 Siemens 6
6 Schneider Electric 6
7 Solarwinds 5
8 Fortinet 4
9 Tenda 4
10 Dell 4

All CWE-798 CVEs (451)

CVE-2023-46943
9.1

This vulnerability allows attackers to forge valid JSON Web Tokens (JWTs) due to a hardcoded weak HMAC secret ('secret') in @evershop/evershop. Attack...

Jan 13, 2024
CVE-2022-45766
9.1

Global Facilities Management Software (GFMS) Version 3 contains hardcoded credentials that allow remote attackers to compromise electronic key box sys...

Feb 10, 2023
CVE-2022-23441
9.1

This vulnerability in FortiEDR allows attackers to impersonate legitimate collectors by exploiting hard-coded cryptographic keys. Unauthenticated netw...

Apr 6, 2022
CVE-2022-1162
9.1

This vulnerability allows attackers to take over user accounts in GitLab instances configured with OmniAuth providers (OAuth, LDAP, SAML). Attackers c...

Apr 4, 2022
CVE-2022-25577
9.1

ALF-BanCO v8.2.5 and earlier uses a hardcoded password to encrypt its SQLite database, allowing attackers with system access to read and modify user d...

Mar 25, 2022
CVE-2022-21669
9.1

CVE-2022-21669 is a critical vulnerability in PuddingBot where the bot token was hardcoded in the main.py source file, publicly exposing it. This allo...

Jan 11, 2022
CVE-2020-25256
9.1

This CVE reveals that Hyland OnBase installations across multiple versions share the same private key for PKI certificates. This allows attackers who ...

Sep 11, 2020
CVE-2024-29855
9.0

CVE-2024-29855 is a critical authentication bypass vulnerability in Veeam Recovery Orchestrator caused by a hard-coded JWT secret. Attackers can forge...

Jun 11, 2024
CVE-2025-65730
8.8

This vulnerability allows attackers to bypass authentication in GoAway by forging JWT tokens using a hardcoded secret key. Any system running GoAway v...

Dec 5, 2025
CVE-2025-33186
8.8

NVIDIA AIStore has an authentication vulnerability (CWE-798: Use of Hard-coded Credentials) that allows attackers to bypass authentication mechanisms....

Nov 11, 2025
CVE-2025-62777
8.8

This vulnerability involves hard-coded credentials in MZK-DP300N devices, allowing attackers on the local network to gain Telnet access and execute ar...

Oct 28, 2025
CVE-2025-10639
8.8

CVE-2025-10639 allows attackers with network access to TCP port 12304 to use hardcoded FTP credentials to gain SYSTEM-level remote code execution on W...

Oct 21, 2025
CVE-2025-52159
8.8

CVE-2025-52159 involves hardcoded credentials in the default configuration of PPress CMS version 0.0.9. This allows attackers to bypass authentication...

Sep 19, 2025
CVE-2025-51606
8.8

Hippo4j versions 1.0.0 through 1.5.0 use a hard-coded secret key for JWT creation, allowing attackers who obtain the source code or binary to forge va...

Aug 21, 2025
CVE-2025-45466
8.8

Unitree Go1 robots with firmware up to Go1_2022_05_11 have hardcoded authentication credentials in plaintext, allowing attackers to bypass authenticat...

Jul 25, 2025
CVE-2025-49551
8.8

Adobe ColdFusion contains hard-coded credentials that could allow attackers to escalate privileges without user interaction. This affects ColdFusion 2...

Jul 8, 2025
CVE-2024-52902
8.8

IBM Cognos Controller and IBM Controller client applications contain hard-coded database passwords in their source code, allowing attackers to gain un...

Feb 19, 2025
CVE-2024-53484
8.8

Ever Traduora versions 0.20.0 and below use a hard-coded JWT signing key, allowing attackers to forge authentication tokens and escalate privileges. T...

Dec 2, 2024
CVE-2024-49060
8.8

This vulnerability allows authenticated attackers to elevate privileges on Azure Stack HCI systems, potentially gaining administrative control. It aff...

Nov 15, 2024
CVE-2024-8448
8.8

PLANET Technology switches contain hard-coded credentials in their command-line interface, allowing attackers with regular user access to escalate to ...

Sep 30, 2024
CVE-2023-41612
8.8

The Victure PC420 camera firmware version 1.1.39 uses a weak, hardcoded encryption key for the enabled_telnet.dat file on its Micro SD card. This allo...

Sep 18, 2024
CVE-2024-5471
8.8

ManageEngine DDI Central versions 4001 and prior contain hard-coded sensitive keys that allow attackers to take over agent communications. This affect...

Jul 17, 2024
CVE-2024-6045
8.8

Certain D-Link wireless routers contain a factory testing backdoor that allows unauthenticated attackers on the local network to enable Telnet service...

Jun 17, 2024
CVE-2024-37630
8.8

D-Link DIR-605L routers contain a hardcoded root password in the /etc/passwd file, allowing attackers to gain full administrative control. This affect...

Jun 13, 2024
CVE-2023-49223
8.8

This vulnerability allows remote attackers to obtain the root password from Precor treadmill touchscreen consoles because it's stored in plaintext in ...

Jun 7, 2024
CVE-2024-23726
8.8

Ubee DDW365 XCNDDW365 devices use predictable default WPA2 PSKs that can be derived from observable Wi-Fi network information. This allows attackers w...

Jan 21, 2024
CVE-2023-47315
8.8

CVE-2023-47315 is an authentication bypass vulnerability in Headwind MDM Web panel where a hard-coded JWT secret allows attackers to forge valid authe...

Nov 22, 2023
CVE-2023-46102
8.8

This vulnerability allows attackers to execute arbitrary commands on Android HMI devices by exploiting hard-coded DES encryption keys in the MQTT comm...

Oct 25, 2023
CVE-2023-32619
8.8

This vulnerability allows network-adjacent attackers to execute arbitrary operating system commands on affected TP-Link Archer routers using hard-code...

Sep 6, 2023
CVE-2023-28937
8.8

DataSpider Servista versions 4.4 and earlier use a hard-coded cryptographic key in ScriptRunner components, allowing attackers who gain access to a La...

Jun 1, 2023
CVE-2022-31619
8.8

Teamcenter Java EE Server Manager HTML Adaptor contains hardcoded default credentials. Attackers with access to the application can exploit these cred...

Jun 14, 2022
CVE-2022-25806
8.8

CVE-2022-25806 is a hardcoded cryptographic key vulnerability in IGEL Universal Management Suite (UMS) that allows attackers to decrypt superuser cred...

Jun 9, 2022
CVE-2022-29778
8.8

CVE-2022-29778 is a remote code execution vulnerability in D-Link DIR-890L routers caused by hardcoded Wake-On-Lan credentials in the SetVirtualServer...

Jun 3, 2022
CVE-2021-33014
8.8

CVE-2021-33014 allows attackers to gain VxWorks shell access on KUKA KR C4 industrial controllers due to hard-coded credentials. This affects KUKA Sys...

May 26, 2022
CVE-2021-42850
8.8

This vulnerability allows attackers with physical or local network access to gain unauthorized administrative access to Lenovo Personal Cloud Storage ...

May 18, 2022
CVE-2022-24255
8.8

Extensis Portfolio v4.0 contains hardcoded administrator credentials that allow attackers to bypass authentication and gain full administrative contro...

Mar 1, 2022
CVE-2021-45732
8.8

CVE-2021-45732 is a hardcoded credential vulnerability in Netgear Nighthawk R6700 routers that allows attackers to decrypt configuration backups, modi...

Dec 30, 2021
CVE-2021-20170
8.8

CVE-2021-20170 is a hardcoded credential vulnerability in Netgear RAX43 routers that allows attackers to decrypt configuration backups using the passw...

Dec 30, 2021
CVE-2021-36799
8.8

CVE-2021-36799 is a hard-coded credential vulnerability in KNX ETS5 software versions through 5.7.6. It allows local users to decrypt and read project...

Jul 19, 2021
CVE-2024-8450
8.6

This vulnerability affects certain PLANET Technology switch models that have a hard-coded SNMPv1 community string, allowing unauthorized remote attack...

Sep 30, 2024
CVE-2024-23473
8.6

This CVE describes a hard-coded credential vulnerability in SolarWinds Access Rights Manager that allows authentication bypass to the RabbitMQ managem...

May 14, 2024
CVE-2023-32274
8.6

Enphase Installer Toolkit Android app version 3.27.0 contains hard-coded credentials in its binary code, allowing attackers to extract and use these c...

Jun 20, 2023
CVE-2025-14115
8.4

IBM Sterling Connect:Direct for UNIX contains hard-coded credentials that could allow attackers to authenticate to the system, communicate with extern...

Jan 20, 2026
CVE-2025-55047
8.4

CVE-2025-55047 involves hard-coded credentials in software, allowing attackers to bypass authentication and gain unauthorized access. This affects sys...

Sep 9, 2025
CVE-2025-1143
8.4

Billion Electric routers have hard-coded SSH credentials that allow attackers to gain root access. This affects specific router models running embedde...

Feb 11, 2025
CVE-2024-28146
8.4

This vulnerability involves hard-coded credentials in ImageAccess products that allow attackers to decrypt configuration files, firmware updates, and ...

Dec 12, 2024
CVE-2023-44296
8.4

Dell ELab-Navigator version 3.1.9 contains hard-coded credentials that allow local attackers to gain unauthorized access to sensitive data. This vulne...

Nov 16, 2023
CVE-2023-2504
8.4

This CVE describes a vulnerability in Birddog firmware where hard-coded credentials are present in files on firmware images. An attacker can use these...

May 22, 2023
CVE-2021-27430
8.4

This vulnerability in GE UR bootloader versions 7.00-7.02 contains hardcoded credentials that could allow unauthorized access. Attackers with physical...

Mar 23, 2022
CVE-2024-9334
8.2

This vulnerability in E-Kent Pallium Vehicle Tracking software allows attackers to bypass authentication using hard-coded credentials stored without p...

Feb 27, 2025

About CWE-798 (CWE-798)

Our database tracks 451 CVEs classified as CWE-798, with 258 rated critical and 145 rated high severity. The average CVSS score for CWE-798 vulnerabilities is 8.8.

External reference: View CWE-798 on MITRE CWE →

Monitor CWE-798 Vulnerabilities

Get alerted when new CWE-798 CVEs affect your infrastructure.

Start Monitoring Free