Total
965 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26671 | 1 Secom | 2 Dr.id Access Control, Dr.id Attendance System | 2022-04-14 | 7.5 HIGH | 7.3 HIGH |
| Taiwan Secom Dr.ID Access Control system’s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service. | |||||
| CVE-2022-23440 | 1 Fortinet | 1 Fortiedr | 2022-04-14 | 4.6 MEDIUM | 7.8 HIGH |
| A use of hard-coded cryptographic key vulnerability [CWE-321] in the registration mechanism of FortiEDR collectors versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow a local attacker to disable and uninstall the collectors from the end-points within the same deployment. | |||||
| CVE-2022-23441 | 1 Fortinet | 1 Fortiedr | 2022-04-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiEDR versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow an unauthenticated attacker on the network to disguise as and forge messages from other collectors. | |||||
| CVE-2012-4712 | 1 Moxa | 2 Edr-g903, Edr-g903 Firmware | 2022-04-12 | 5.0 MEDIUM | N/A |
| Moxa EDR-G903 series routers with firmware before 2.11 have a hardcoded account, which allows remote attackers to obtain unspecified device access via unknown vectors. | |||||
| CVE-2021-30064 | 2 Belden, Schneider-electric | 26 Eagle 20 Tofino 943 987-501-tx\/tx, Eagle 20 Tofino 943 987-501-tx\/tx Firmware, Eagle 20 Tofino 943 987-502 -tx\/mm and 23 more | 2022-04-08 | 6.8 MEDIUM | 9.8 CRITICAL |
| On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, an SSH login can succeed with hardcoded default credentials (if the device is in the uncommissioned state). | |||||
| CVE-2022-24693 | 1 Baicells | 4 Neutrino 430, Neutrino 430 Firmware, Nova436q and 1 more | 2022-04-07 | 7.8 HIGH | 9.8 CRITICAL |
| Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.) | |||||
| CVE-2019-3710 | 1 Dell | 1 Emc Networking Os10 | 2022-04-05 | 6.8 MEDIUM | 8.1 HIGH |
| Dell EMC Networking OS10 versions prior to 10.4.3 contain a cryptographic key vulnerability due to an underlying application using undocumented, pre-installed X.509v3 key/certificate pairs. An unauthenticated remote attacker with the knowledge of the default keys may potentially be able to intercept communications or operate the system with elevated privileges. | |||||
| CVE-2021-46008 | 1 Totolink | 2 A3100r, A3100r Firmware | 2022-04-05 | 7.9 HIGH | 8.8 HIGH |
| In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on. | |||||
| CVE-2020-25180 | 3 Rockwellautomation, Schneider-electric, Xylem | 31 Aadvance Controller, Isagraf Free Runtime, Isagraf Runtime and 28 more | 2022-04-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the tiny encryption algorithm (TEA) on an entered or saved password. A remote, unauthenticated attacker could pass their own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device. | |||||
| CVE-2021-27430 | 1 Ge | 1 Ur Bootloader Binary | 2022-03-31 | 4.6 MEDIUM | 6.8 MEDIUM |
| GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR. | |||||
| CVE-2022-25577 | 1 Alf-banco | 1 Alf-banco | 2022-03-30 | 6.4 MEDIUM | 9.1 CRITICAL |
| ALF-BanCO v8.2.5 and below was discovered to use a hardcoded password to encrypt the SQLite database containing the user's data. Attackers who are able to gain remote or local access to the system are able to read and modify the data. | |||||
| CVE-2019-8352 | 1 Bmc | 1 Patrol Agent | 2022-03-30 | 7.5 HIGH | 9.8 CRITICAL |
| By default, BMC PATROL Agent through 11.3.01 uses a static encryption key for encrypting/decrypting user credentials sent over the network to managed PATROL Agent services. If an attacker were able to capture this network traffic, they could decrypt these credentials and use them to execute code or escalate privileges on the network. | |||||
| CVE-2021-45877 | 1 Garo | 6 Wallbox Glb, Wallbox Glb Firmware, Wallbox Gtb and 3 more | 2022-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple versions of GARO Wallbox GLB/GTB/GTC are affected by hard coded credentials. A hardcoded credential exist in /etc/tomcat8/tomcat-user.xml, which allows attackers to gain authorized access and control the tomcat completely on port 8000 in the tomcat manger page. | |||||
| CVE-2022-25246 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2022-03-28 | 9.0 HIGH | 8.8 HIGH |
| Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) uses hard-coded credentials for its UltraVNC installation. Successful exploitation of this vulnerability could allow a remote authenticated attacker to take full remote control of the host operating system. | |||||
| CVE-2022-26660 | 1 Robotronic | 1 Runasspc | 2022-03-28 | 5.0 MEDIUM | 7.5 HIGH |
| RunAsSpc 4.0 uses a universal and recoverable encryption key. In possession of a file encrypted by RunAsSpc, an attacker can recover the credentials that were used. | |||||
| CVE-2022-25510 | 1 Freetakserver-ui Project | 1 Freetakserver-ui | 2022-03-22 | 6.5 MEDIUM | 8.8 HIGH |
| FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges. | |||||
| CVE-2022-21194 | 1 Yokogawa | 5 Centum Vp, Centum Vp Entry, Centum Vp Entry Firmware and 2 more | 2022-03-18 | 6.8 MEDIUM | 9.8 CRITICAL |
| The following Yokogawa Electric products do not change the passwords of the internal Windows accounts from the initial configuration: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.0, Exaopc versions from R3.72.00 to R3.79.00. | |||||
| CVE-2022-23402 | 1 Yokogawa | 5 Centum Vp, Centum Vp Entry, Centum Vp Entry Firmware and 2 more | 2022-03-18 | 7.5 HIGH | 9.8 CRITICAL |
| The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00 | |||||
| CVE-2022-25213 | 1 Phicomm | 10 K2, K2 Firmware, K2g and 7 more | 2022-03-17 | 7.2 HIGH | 6.8 MEDIUM |
| Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same port exposes an unauthenticated Das U-Boot BIOS shell. | |||||
| CVE-2022-25217 | 1 Phicomm | 4 K2, K2 Firmware, K3c and 1 more | 2022-03-17 | 7.2 HIGH | 7.8 HIGH |
| Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. The builds of telnetd_startup included in the version 22.5.9.163 of the K2 firmware, and version 32.1.15.93 of the K3C firmware (possibly amongst many other releases) included both the private and public RSA keys. The remaining versions cited here redacted the private key, but left the public key unchanged. An attacker in possession of the leaked private key may, through a scripted exchange of UDP packets, instruct telnetd_startup to spawn an unauthenticated telnet shell as root, by means of which they can then obtain complete control of the device. A consequence of the limited availablility of firmware images for testing is that models and versions not listed here may share this vulnerability. | |||||