Monthly
Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.
Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.
Hardcoded root credentials in T3 Technology CPE devices (models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03) allow remote unauthenticated attackers to gain full root-level control via the built-in 'superadmin' account. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation with total impact to confidentiality, integrity, and availability, and SSVC marks the issue as automatable with total technical impact. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite the severity, suggesting limited current scanning activity.
Hard-coded credentials embedded in NetApp Active IQ OneCollect 2.7.3 allow any low-privileged authenticated user to perform unauthorized AutoSupport operations beyond their intended authorization scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible exploitation with low complexity, requiring only a low-privilege account with no special attack conditions. No public exploit has been identified and the vulnerability does not appear in the CISA KEV catalog at time of analysis.
Hard-coded credentials in NetApp Active IQ Config Advisor 6.7.3 enable authenticated low-privileged attackers to perform unauthorized AutoSupport operations against connected NetApp infrastructure. The embedded credentials bypass intended access controls, allowing any account holder to trigger or manipulate AutoSupport telemetry functions beyond their assigned privilege level. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.
Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.
Siklu EtherHaul 8010 wireless backhaul devices contain a static root password that enables physical attackers or those with local console access to gain complete administrative control without authentication. The vulnerability affects firmware version 10.6.2-18707 and potentially other versions of the EtherHaul 8010 product line, allowing credential-based authentication bypass with high confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at this time, though the CVSS:3.1 physical attack vector (AV:P) reflects that an attacker must have direct physical access to the device's console interfaces.
Hardcoded password vulnerability in Yokogawa CENTUM VP allows authentication bypass for the PROG system account across versions R5.01.00-R5.04.20, R6.01.00-R6.12.00, and R7.01.00. An attacker who obtains the hardcoded credential and has direct access to the Human Interface Station (HIS) running CTM authentication mode can log in as PROG; however, real-world risk is constrained because PROG defaults to S1 (OFFUSER) permission level, and exploitation requires pre-existing HIS access. No public exploit code or active CISA KEV status identified at time of analysis.
Hard-coded credentials in YI Home Camera 2 firmware 2.1.1_20171024151200 allow adjacent network attackers to gain complete device control without authentication. The vulnerability exists in the /home/web/ipc file component and enables full compromise of confidentiality, integrity, and availability. Public exploit code exists (SSVC: poc) and vendor Yi Technology did not respond to responsible disclosure, leaving devices unpatched. EPSS score is low (0.02%, 5th percentile) despite total technical impact, suggesting limited widespread exploitation but significant risk for exposed IoT camera deployments on shared networks.
QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.
Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.
Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.
Hardcoded root credentials in T3 Technology CPE devices (models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03) allow remote unauthenticated attackers to gain full root-level control via the built-in 'superadmin' account. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation with total impact to confidentiality, integrity, and availability, and SSVC marks the issue as automatable with total technical impact. No public exploit identified at time of analysis, and EPSS remains very low (0.02%) despite the severity, suggesting limited current scanning activity.
Hard-coded credentials embedded in NetApp Active IQ OneCollect 2.7.3 allow any low-privileged authenticated user to perform unauthorized AutoSupport operations beyond their intended authorization scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible exploitation with low complexity, requiring only a low-privilege account with no special attack conditions. No public exploit has been identified and the vulnerability does not appear in the CISA KEV catalog at time of analysis.
Hard-coded credentials in NetApp Active IQ Config Advisor 6.7.3 enable authenticated low-privileged attackers to perform unauthorized AutoSupport operations against connected NetApp infrastructure. The embedded credentials bypass intended access controls, allowing any account holder to trigger or manipulate AutoSupport telemetry functions beyond their assigned privilege level. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.
Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.
Siklu EtherHaul 8010 wireless backhaul devices contain a static root password that enables physical attackers or those with local console access to gain complete administrative control without authentication. The vulnerability affects firmware version 10.6.2-18707 and potentially other versions of the EtherHaul 8010 product line, allowing credential-based authentication bypass with high confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at this time, though the CVSS:3.1 physical attack vector (AV:P) reflects that an attacker must have direct physical access to the device's console interfaces.
Hardcoded password vulnerability in Yokogawa CENTUM VP allows authentication bypass for the PROG system account across versions R5.01.00-R5.04.20, R6.01.00-R6.12.00, and R7.01.00. An attacker who obtains the hardcoded credential and has direct access to the Human Interface Station (HIS) running CTM authentication mode can log in as PROG; however, real-world risk is constrained because PROG defaults to S1 (OFFUSER) permission level, and exploitation requires pre-existing HIS access. No public exploit code or active CISA KEV status identified at time of analysis.
Hard-coded credentials in YI Home Camera 2 firmware 2.1.1_20171024151200 allow adjacent network attackers to gain complete device control without authentication. The vulnerability exists in the /home/web/ipc file component and enables full compromise of confidentiality, integrity, and availability. Public exploit code exists (SSVC: poc) and vendor Yi Technology did not respond to responsible disclosure, leaving devices unpatched. EPSS score is low (0.02%, 5th percentile) despite total technical impact, suggesting limited widespread exploitation but significant risk for exposed IoT camera deployments on shared networks.
QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.