Monthly
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remote attackers to forge valid internode RPC requests by exploiting a hardcoded fallback secret 'rustfsadmin' used when neither RUSTFS_RPC_SECRET nor the global S3 secret key is configured. With a CVSS of 9.8 and full CIA impact, this represents a critical pre-auth compromise vector against the storage cluster's internal trust boundary. No public exploit identified at time of analysis, though the fallback secret is publicly visible in the source tree, making weaponization trivial.
Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. CVSS is 9.8 with publicly available exploit code, though no public exploit identified at time of analysis in CISA KEV.
Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded secret - a password or cryptographic key - that the product uses for inbound authentication, outbound communication, or encryption of internal data. Because the credential is the same across every deployment, an attacker who already holds low-level access (CVSS PR:L) can leverage it to gain full confidentiality, integrity, and availability impact (C:H/I:H/A:H) over the network. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Hard-coded root credentials in Netis AC1200 Router NC21 firmware V4.0.1.4296 allow attackers who reach the device to log in as root using the trivially guessable password 'root' stored in /etc/shadow.sample. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the credential is static across affected units, making any exposed management interface a one-step compromise. The flaw is classified as CWE-798 (Use of Hard-coded Credentials) and is tagged as an Authentication Bypass.
Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.
Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.
Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.
Credential exposure in Open ISES Tickets versions prior to 3.44.2 allows remote attackers to obtain valid MySQL database connection parameters (host, username, password, database name) hardcoded in import_mdb.php and committed to the public source repository. Any attacker who can read the public GitHub source can extract these credentials and attempt to authenticate against deployed installations that retained the default values, with no public exploit identified at time of analysis.
Hardcoded MySQL credentials in Open ISES Tickets before 3.44.2 expose database username, password, and database name through a public-facing loader.php utility that was committed to the source repository. Any user able to read the source tree on GitHub or fetch the file from a deployed installation can connect to the backing database if reachable, leading to full read/write access. No public exploit identified at time of analysis, but the credentials are trivially recoverable from the source tree.
Authentication bypass in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) allows unauthenticated remote attackers to recover hard-coded administrative credentials by viewing the page source of login.zhtml, because the validate() function performs credential checking entirely client-side. With a CVSS 4.0 base score of 9.3 (AV:N/AC:L/PR:N/UI:N) and a VulnCheck advisory plus a public Medium write-up, the flaw is trivially exploitable, though no public exploit identified at time of analysis as a packaged tool and the device is not currently listed in CISA KEV.
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remote attackers to forge valid internode RPC requests by exploiting a hardcoded fallback secret 'rustfsadmin' used when neither RUSTFS_RPC_SECRET nor the global S3 secret key is configured. With a CVSS of 9.8 and full CIA impact, this represents a critical pre-auth compromise vector against the storage cluster's internal trust boundary. No public exploit identified at time of analysis, though the fallback secret is publicly visible in the source tree, making weaponization trivial.
Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. CVSS is 9.8 with publicly available exploit code, though no public exploit identified at time of analysis in CISA KEV.
Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded secret - a password or cryptographic key - that the product uses for inbound authentication, outbound communication, or encryption of internal data. Because the credential is the same across every deployment, an attacker who already holds low-level access (CVSS PR:L) can leverage it to gain full confidentiality, integrity, and availability impact (C:H/I:H/A:H) over the network. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Hard-coded root credentials in Netis AC1200 Router NC21 firmware V4.0.1.4296 allow attackers who reach the device to log in as root using the trivially guessable password 'root' stored in /etc/shadow.sample. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the credential is static across affected units, making any exposed management interface a one-step compromise. The flaw is classified as CWE-798 (Use of Hard-coded Credentials) and is tagged as an Authentication Bypass.
Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.
Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.
Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.
Credential exposure in Open ISES Tickets versions prior to 3.44.2 allows remote attackers to obtain valid MySQL database connection parameters (host, username, password, database name) hardcoded in import_mdb.php and committed to the public source repository. Any attacker who can read the public GitHub source can extract these credentials and attempt to authenticate against deployed installations that retained the default values, with no public exploit identified at time of analysis.
Hardcoded MySQL credentials in Open ISES Tickets before 3.44.2 expose database username, password, and database name through a public-facing loader.php utility that was committed to the source repository. Any user able to read the source tree on GitHub or fetch the file from a deployed installation can connect to the backing database if reachable, leading to full read/write access. No public exploit identified at time of analysis, but the credentials are trivially recoverable from the source tree.
Authentication bypass in the Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) allows unauthenticated remote attackers to recover hard-coded administrative credentials by viewing the page source of login.zhtml, because the validate() function performs credential checking entirely client-side. With a CVSS 4.0 base score of 9.3 (AV:N/AC:L/PR:N/UI:N) and a VulnCheck advisory plus a public Medium write-up, the flaw is trivially exploitable, though no public exploit identified at time of analysis as a packaged tool and the device is not currently listed in CISA KEV.