CVE & Exploit Intelligence Database

CVE-2025-35940 8.1 HIGH EPSS 0.00

The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints.

CWE-798 Jun 10, 2025

CVE-2025-5751 6.8 MEDIUM EPSS 0.00

WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of management cards. The issue results from the lack of personalization of management cards. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26292.

CWE-798 Jun 06, 2025

CVE-2025-3321 EPSS 0.00

A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server.

CWE-798 Jun 06, 2025

CVE-2025-5379 4.3 MEDIUM EPSS 0.00

A vulnerability classified as critical was found in NuCom NC-WR744G 8.5.5 Build 20200530.307. This vulnerability affects unknown code of the component Console Application. The manipulation of the argument CMCCAdmin/useradmin/CUAdmin leads to hard-coded credentials. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.

CWE-259 May 31, 2025

CVE-2025-4633 6.5 MEDIUM EPSS 0.00

Default credentials were present in the web portal for Airpointer 2.4.107-2, allowing an unauthenticated malicious actor to log in via the web portal

CWE-798 May 30, 2025

CVE-2025-48491 1 Writeup EPSS 0.00

Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version.

CWE-798 May 30, 2025

CVE-2025-46352 9.8 CRITICAL EPSS 0.00

The CS5000 Fire Panel is vulnerable due to a hard-coded password that runs on a VNC server and is visible as a string in the binary responsible for running VNC. This password cannot be altered, allowing anyone with knowledge of it to gain remote access to the panel. Such access could enable an attacker to operate the panel remotely, potentially putting the fire panel into a non-functional state and causing serious safety issues.

CWE-798 May 30, 2025

CVE-2025-48748 10.0 CRITICAL EPSS 0.00

Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password.

CWE-798 May 29, 2025

CVE-2025-36572 6.5 MEDIUM EPSS 0.00

Dell PowerStore, version(s) 4.0.0.0, contain(s) an Use of Hard-coded Credentials vulnerability in the PowerStore image file. A low privileged attacker with remote access, with the knowledge of the hard-coded credentials, could potentially exploit this vulnerability to gain unauthorized access based on the hardcoded account's privileges.

CWE-798 May 28, 2025

CVE-2025-5164 3.7 LOW EPSS 0.00

A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. This vulnerability affects the function JwtUtil of the component JWT Handler. The manipulation leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE-320 May 26, 2025

CVE-2025-41380 EPSS 0.00

Iridium Certus 700 version 1.0.1 has an embedded credentials vulnerability in the code. This vulnerability allows a local user to retrieve the SSH hash string.

CWE-798 May 23, 2025

CVE-2025-2394 EPSS 0.00

Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.

CWE-798 May 23, 2025

CVE-2025-48414 6.5 MEDIUM EPSS 0.00

There are several scripts in the web interface that are accessible via undocumented hard-coded credentials. The scripts provide access to additional administrative/debug functionality and are likely intended for debugging during development and provides an additional attack surface.

CWE-798 May 21, 2025

CVE-2025-48413 7.7 HIGH EPSS 0.00

The `/etc/passwd` and `/etc/shadow` files reveal hard-coded password hashes for the operating system "root" user. The credentials are shipped with the update files. There is no option for deleting or changing their passwords for an enduser. An attacker can use the credentials to log into the device. Authentication can be performed via SSH backdoor or likely via physical access (UART shell).

CWE-798 May 21, 2025

CVE-2025-45746 6.5 MEDIUM 1 Writeup EPSS 0.01

In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform.

CWE-321 May 13, 2025

CVE-2025-27488 6.7 MEDIUM EPSS 0.01

Use of hard-coded credentials in Windows Hardware Lab Kit allows an authorized attacker to elevate privileges locally.

CWE-798 May 13, 2025

CVE-2025-47730 4.8 MEDIUM EXPLOITED 1 Writeup EPSS 0.00

The TeleMessage archiving backend through 2025-05-05 accepts API calls (to request an authentication token) from the TM SGNL (aka Archive Signal) app with the credentials of logfile for the user and enRR8UVVywXYbFkqU#QDPRkO for the password.

CWE-798 May 08, 2025

CVE-2025-20188 10.0 CRITICAL EXPLOITED 1 PoC Analysis NUCLEI EPSS 0.03

A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.

CWE-798 May 07, 2025

CVE-2025-4041 EPSS 0.00

In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.

CWE-798 May 06, 2025

CVE-2025-32889 7.3 HIGH 1 Writeup EPSS 0.00

An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The verification token used for sending SMS through a goTenna server is hardcoded in the app.

CWE-798 May 01, 2025