CVE & Exploit Intelligence Database

CVE-2025-13954 EPSS 0.00

Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI

CWE-798 Dec 10, 2025

CVE-2025-41696 4.6 MEDIUM EPSS 0.00

An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device.

CWE-798 Dec 09, 2025

CVE-2025-40938 8.1 HIGH EPSS 0.00

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device stores sensitive information in the firmware. This could allow an attacker to access and misuse this information, potentially impacting the device’s confidentiality, integrity, and availability.

CWE-798 Dec 09, 2025

CVE-2025-14126 8.8 HIGH EPSS 0.00

A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE-259 Dec 06, 2025

CVE-2025-65730 8.8 HIGH 2 Writeups EPSS 0.01

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication.

CWE-798 Dec 05, 2025

CVE-2025-66237 6.7 MEDIUM 1 Writeup EPSS 0.00

DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host.

CWE-798 Dec 04, 2025

CVE-2025-29268 9.8 CRITICAL EPSS 0.00

ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library.

CWE-798 Dec 04, 2025

CVE-2025-64778 7.3 HIGH EPSS 0.00

NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database.

CWE-798 Dec 02, 2025

CVE-2025-66454 6.5 MEDIUM 1 Writeup EPSS 0.00

Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints—including tool enumeration and tool invocation—without credentials. This vulnerability is fixed in 1.5.4.

CWE-321 Dec 02, 2025

CVE-2025-54341 5.3 MEDIUM EPSS 0.00

A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values.

CWE-798 Nov 24, 2025

CVE-2018-25126 EXPLOITED 1 Writeup EPSS 0.02

Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC.

CWE-78 Nov 24, 2025

CVE-2025-63433 4.6 MEDIUM 1 Writeup EPSS 0.00

Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.

CWE-798 Nov 24, 2025

CVE-2025-59669 5.3 MEDIUM EPSS 0.00

A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with shell access to the device to connect to redis service and access its data

CWE-798 Nov 18, 2025

CVE-2025-64766 5.3 MEDIUM 1 Writeup EPSS 0.00

NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an existing revision ID could use this secret to obtain a document. In practice, an arbitrary revision ID should be hard to obtain. The primary impact is likely the access to known documents from users with expired access. This issue was resolved in NixOS unstable version 25.11 and version 25.05.

CWE-798 Nov 17, 2025

CVE-2025-13252 7.3 HIGH EPSS 0.00

A vulnerability was found in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Affected by this issue is some unknown functionality of the component RSA/OAuth2/Database. The manipulation results in hard-coded credentials. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable.

CWE-259 Nov 16, 2025

CVE-2025-33186 8.8 HIGH EPSS 0.00

NVIDIA AIStore contains a vulnerability in AuthN. A successful exploit of this vulnerability might lead to escalation of privileges, information disclosure, and data tampering.

CWE-798 Nov 11, 2025

CVE-2025-42890 10.0 CRITICAL EPSS 0.00

SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system.

CWE-798 Nov 11, 2025

CVE-2025-34501 EPSS 0.00

Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.

CWE-798 Nov 03, 2025

CVE-2025-62777 8.8 HIGH EPSS 0.00

Use of Hard-Coded Credentials issue exists in MZK-DP300N version 1.07 and earlier, which may allow an attacker within the local network to log in to the affected device via Telnet and execute arbitrary commands.

CWE-798 Oct 28, 2025

CVE-2025-41109 4.6 MEDIUM EPSS 0.00

Ghost Robotics Vision 60 v0.27.2 includes, among its physical interfaces, three RJ45 connectors and a USB Type-C port. The vulnerability is due to the lack of authentication mechanisms when establishing connections through these ports. Specifically, with regard to network connectivity, the robot's internal router automatically assigns IP addresses to any device physically connected to it. An attacker could connect a WiFi access point under their control to gain access to the robot's network without needing the credentials for the deployed network. Once inside, the attacker can monitor all its data, as the robot runs on ROS 2 without authentication by default.

CWE-798 Oct 22, 2025