CWE-259 - Use of Hard-coded Password

Description

As it's difficult for system administrator to reveal and fix authentication failure caused by hard-coded password use it can lead to complete product disabling. Such problems may cause system vulnerabillity that allows attackers to get access to data. There are 2 variants of a hard-coded password applied by the software:
1. Inbound variant is used for inbound authentication of the software. This password can't be changed by system administrator and remains identical for all the product installations. As this variant is always the same, the password disclosure increases cases of attacks.
2. Outbound variant is used for setting of connection with another system or component and as it's usually fived and not complete it's easy to discover it by any user of the program.
The weakness is introduced during Implementattion, Architecture and Design stages.

Latest vulnerabilities for CWE-259

Use of hard-coded password in IBM Storage Fusion HCI 2024-01-09
Medium Yes

Multiple vulnerabilities in First Corporation DVRs 2023-11-27
High Yes

Multiple vulnerabilities in SonicWall SonicOS 2023-10-16
Medium Yes

Multiple vulnerabilities in Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series, EtherNet/IP Modules and EtherNet/IP 2023-06-07
Medium No

Multiple vulnerabilities in Siemens SIMATIC Cloud Connect 7 2023-05-11
Medium Yes

Multiple vulnerabilities in Kubernetes minikube 2023-04-20
High Yes

Default password in Lenovo Smart Clock Essential 2023-04-12
Low Yes

Multiple vulnerabilities in ProPump and Controls Osprey Pump Controller 2023-03-29
High No

Multiple vulnerabilities in Sewio RTLS Studio 2023-01-13
High No

Multiple vulnerabilities in Mitsubishi Electric FA Engineering Software 2022-11-30
High No

References

Description of CWE-259 on Mitre website