| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first login. This behavior allows attackers to easily guess or derive valid credentials, leading to unauthorized account access.
The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected. |
| In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials.
This issue was fixed in versions below:
- IPx series: version 6.61.0040
- CCT-1668: version 6.56.0430
- MAC-6400: version 6.56.0430
- CXS-0424: version 6.30.0510
The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:
- CCT-1668 (CCT1CPU)
- MAC-6400
- CXS-0424
These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. |
| Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number.
This issue was fixed in version 1.00B16CP. |
| fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string (''), for example via the common keys[decoded.header.kid] || '' JWKS-style fallback, fast-jwt converts it to a zero-length Buffer, hands it to crypto.createSecretKey, derives allowedAlgorithms = ['HS256','HS384','HS512'] from it, and then verifies the token's signature against an empty-key HMAC. The attacker simply computes HMAC-SHA256(key='', input='${header}.${payload}'), which Node accepts without complaint — and the verifier returns the attacker-chosen payload (sub, admin, scopes, etc.) as authentic. This vulnerability is fixed in 6.2.4. |
| Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a use of weak credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to the system. |
| Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system. |
| BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service. |
| The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. |
| For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information. |
| OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires
authentication. However, the product ships with a default administrative account (admin/
admin) and does not enforce a mandatory password change on first use. After the first
successful login, the server continues to accept the default password indefinitely without
warning or enforcement.
In real-world deployments, this service is often left enabled without changing the default
credentials. As a result, a remote attacker with access to the service port could authenticate
as an administrator and gain full control of the protocol’s administrative features. |
| The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet. |
| Under certain circumstances the Software House C●CURE 9000 installer will utilize weak credentials. |
| Securden’s Unified PAM Remote Vendor Gateway access portal shares infrastructure and access tokens across multiple tenants. A malicious actor can obtain authentication material and access the gateway server with low-privilege permissions. |
| A weak credential vulnerability exists in Firewalla Box Software versions before 1.979. This vulnerability allows a physically close attacker to use the license UUID for authentication and provision SSH credentials over the Bluetooth Low-Energy (BTLE) interface. Once an attacker gains access to the LAN, they could log into the SSH interface using the provisioned credentials. The license UUID can be acquired through plain-text Bluetooth sniffing, reading the QR code on the bottom of the device, or brute-forcing the UUID (though this is less likely). |
| On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator password is easy to guess from the information available via SNMP. If the administrator password is not changed from the initial one, a remote attacker with SNMP access can log in to the product with the administrator privilege. |
| After gaining access to the firmware of a charging station, a file at <redacted> can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers.
This issue affects Iocharger firmware for AC models before firmware version 25010801.
The issue is addressed by requiring a mandatory password change on first login, it is still recommended to change the password on older models.
Likelihood: Moderate – The attacker will first have to abuse a code execution or file inclusion vulnerability (for example by using <redacted>.sh) to gain access to the <redacted>.json file, or obtain a firmware dump of the charging station or obtain the firmware via other channels.
Impact: Critical – All chargers using Iocharger firmware for AC models started with the same initial password. For models with firmware version before 25010801 a password change was not mandatory. It is therefore very likely that this firmware password is still active on many chargers. These credentials could, once obtained, allow an attacker to log into many Iocharger charging station, and allow them to execute arbitrary commands via the System → Custom page.
CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, and requires high privileges (PR:H), there is no user interaction required (UI:N). The attack leads to a compromised of the confidentialy of the "super user" credentials of the device (VC:H/VI:N/VA:N), and can subsequently be used to full compromise and other devices (SC:H/SI:H/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y). |
| ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices. |
| Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email.
This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679 included in 3.7.5 release. |
| HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may connect to the product via SSH and use a shell. |
| A token is created using the username, current date/time, and a fixed
AES-128 encryption key, which is the same across all installations. |
