Total
1490 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52159 | 1 Yandaozi | 1 Ppress | 2025-09-25 | N/A | 8.8 HIGH |
| Hardcoded credentials in default configuration of PPress 0.0.9. | |||||
| CVE-2025-57602 | 2025-09-23 | N/A | 9.8 CRITICAL | ||
| Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other connected IoT devices. This can lead to remote code execution, information disclosure, and privilege escalation across customer environments. | |||||
| CVE-2025-57601 | 2025-09-23 | N/A | 9.8 CRITICAL | ||
| AiKaan Cloud Controller uses a single hardcoded SSH private key and the username `proxyuser` for remote terminal access to all managed IoT/edge devices. When an administrator initiates "Open Remote Terminal" from the AiKaan dashboard, the controller sends this same static private key to the target device. The device then uses it to establish a reverse SSH tunnel to a remote access server, enabling browser-based SSH access for the administrator. Because the same `proxyuser` account and SSH key are reused across all customer environments: - An attacker who obtains the key (e.g., by intercepting it in transit, extracting it from the remote access server, or from a compromised admin account) can impersonate any managed device. - They can establish unauthorized reverse SSH tunnels and interact with devices without the owner's consent. This is a design flaw in the authentication model: compromise of a single key compromises the trust boundary between the controller and devices. | |||||
| CVE-2025-51536 | 1 Craws | 1 Openatlas | 2025-09-23 | N/A | 9.8 CRITICAL |
| Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password. | |||||
| CVE-2024-11147 | 1 Ecovacs | 28 Airbot Andy, Airbot Andy Firmware, Airbot Ava and 25 more | 2025-09-23 | N/A | 7.6 HIGH |
| ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root. | |||||
| CVE-2025-30200 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2025-09-23 | N/A | 6.3 MEDIUM |
| ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived. | |||||
| CVE-2025-30198 | 1 Ecovacs | 26 Deebot T10, Deebot T10 Firmware, Deebot T10 Omni and 23 more | 2025-09-23 | N/A | 6.3 MEDIUM |
| ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived. | |||||
| CVE-2024-41794 | 1 Siemens | 2 7kt Pac1260 Data Manager, 7kt Pac1260 Data Manager Firmware | 2025-09-23 | N/A | 10.0 CRITICAL |
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This could allow unauthenticated remote attackers to gain full access to a device, if they are in possession of these credentials and if the ssh service is enabled (e.g., by exploitation of CVE-2024-41793). | |||||
| CVE-2025-57434 | 2025-09-22 | N/A | 8.8 HIGH | ||
| Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | |||||
| CVE-2025-58656 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Use of Hard-coded Credentials vulnerability in Risto Niinemets Estonian Shipping Methods for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects Estonian Shipping Methods for WooCommerce: from n/a through 1.7.2. | |||||
| CVE-2025-58269 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager allows Retrieve Embedded Sensitive Data. This issue affects WP Project Manager: from n/a through 2.6.25. | |||||
| CVE-2025-58659 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Use of Hard-coded Credentials vulnerability in Essekia Helpie FAQ allows Retrieve Embedded Sensitive Data. This issue affects Helpie FAQ: from n/a through 1.39. | |||||
| CVE-2024-9643 | 1 Four-faith | 2 F3x36, F3x36 Firmware | 2025-09-19 | N/A | 9.8 CRITICAL |
| The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645. | |||||
| CVE-2025-5023 | 2025-09-19 | N/A | 7.1 HIGH | ||
| Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020. | |||||
| CVE-2024-48842 | 2025-09-18 | N/A | 7.0 HIGH | ||
| Use of Hard-coded Credentials vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5 and newer versions | |||||
| CVE-2024-22813 | 1 Tormach | 2 Pathpilot Controller, Xstech Cnc Router | 2025-09-15 | N/A | 4.4 MEDIUM |
| An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to overwrite the hardcoded IP address in the device memory, disrupting network connectivity between the router and the controller. | |||||
| CVE-2025-57578 | 2025-09-15 | N/A | 8.0 HIGH | ||
| An issue in H3C Magic M Device M2V100R006 allows a remote attacker to execute arbitrary code via the default password | |||||
| CVE-2025-57577 | 2025-09-15 | N/A | 8.0 HIGH | ||
| An issue in H3C Device R365V300R004 allows a remote attacker to execute arbitrary code via the default password. NOTE: the Supplier's position is that their "product lines enforce or clearly prompt users to change any initial credentials upon first use. At most, this would be a case of misconfiguration if an administrator deliberately ignored the prompts, which is outside the scope of CVE definitions." | |||||
| CVE-2025-8530 | 1 Eladmin | 1 Eladmin | 2025-09-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by this issue is some unknown functionality of the file eladmin-system\src\main\resources\config\application-prod.yml of the component Druid. The manipulation of the argument login-username/login-password leads to use of default credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9310 | 1 Carrental Project | 1 Carrental | 2025-09-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was determined in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. Affected by this vulnerability is an unknown functionality of the file /carRental_war/druid/login.html of the component Druid. Executing manipulation can lead to hard-coded credentials. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | |||||