CWE-798 Detail

CWE-798

Use of Hard-coded Credentials
High
Draft
2010-02-16
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

General Informations

Modes Of Introduction

Architecture and Design : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Mobile (Undetermined)
Class: ICS/OT (Often)

Common Consequences

Scope Impact Likelihood
Access ControlBypass Protection Mechanism
Integrity
Confidentiality
Availability
Access Control
Other		Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Other

Observed Examples

References Description

CVE-2022-40263

Software for biological cell analysus has hard-coded credentials, leading to leak of Protected Health Information (PHI)

CVE-2022-29953

Condition Monitor firmware has a maintenance interface with hard-coded credentials

CVE-2022-29960

Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation

CVE-2022-29964

Distributed Control System (DCS) has hard-coded passwords for local shell access

CVE-2022-30997

Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials

CVE-2022-30314

Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration

CVE-2022-30271

Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments

CVE-2021-37555

Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288]

CVE-2021-35033

Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port

CVE-2012-3503

Installation script has a hard-coded secret token value, allowing attackers to bypass authentication

CVE-2010-2772

SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm

CVE-2010-2073

FTP server library uses hard-coded usernames and passwords for three default accounts

CVE-2010-1573

Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code

CVE-2008-2369

Server uses hard-coded authentication key

CVE-2008-0961

Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface

CVE-2008-1160

Security appliance uses hard-coded password allowing attackers to gain root access

CVE-2006-7142

Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs

CVE-2005-3716

VoIP product uses hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information

CVE-2005-3803

VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information

CVE-2005-0496

Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system

Potential Mitigations

Phases : Architecture and Design
Phases : Architecture and Design
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Phases : Architecture and Design
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Phases : Architecture and Design
Phases : Architecture and Design

Detection Methods

Black Box

Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.
Effectiveness : Moderate

Automated Static Analysis

Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.

Manual Static Analysis

This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.

Manual Dynamic Analysis

Automated Static Analysis - Binary or Bytecode

Effectiveness : SOAR Partial

Manual Static Analysis - Binary or Bytecode

Effectiveness : High

Dynamic Analysis with Manual Results Interpretation

Effectiveness : SOAR Partial

Manual Static Analysis - Source Code

Effectiveness : High

Automated Static Analysis - Source Code

Effectiveness : High

Automated Static Analysis

Effectiveness : SOAR Partial

Architecture or Design Review

Effectiveness : High

Vulnerability Mapping Notes

Justification : While this entry is at a Base level of abstraction, it has lower-level children that cover specific kinds of credentials.
Comment : Consider children such as CWE-259 and CWE-321.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-191 Read Sensitive Constants Within an Executable
CAPEC-70 Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.

References

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-729

Top 25 Series - Rank 11 - Hardcoded Credentials
Johannes Ullrich.
https://www.sans.org/blog/top-25-series-rank-11-hardcoded-credentials/

REF-172

Mobile App Top 10 List
Chris Wysopal.
https://www.veracode.com/blog/2010/12/mobile-app-top-10-list

REF-962

Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG).
http://www.omg.org/spec/ASCSM/1.0/

REF-1283

OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs.
https://www.forescout.com/resources/ot-icefall-report/

REF-1288

Ethical hacking of a Smart Automatic Feed Dispenser
Julia Lokrantz.
http://kth.diva-portal.org/smash/get/diva2:1561552/FULLTEXT01.pdf

REF-1304

ICS Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Submission

Name Organization Date Date release Version
CWE Content Team MITRE 2010-01-15 +00:00 2010-02-16 +00:00 1.8

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2010-04-05 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2010-06-21 +00:00 updated Common_Consequences, References
CWE Content Team MITRE 2010-09-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2010-12-13 +00:00 updated Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Observed_Examples, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-10-30 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Applicable_Platforms, References
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Detection_Factors
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-01-19 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-11-08 +00:00 updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-01-03 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2019-09-19 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2021-07-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-06-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Taxonomy_Mappings
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2024-02-29 +00:00 updated Observed_Examples
CWE Content Team MITRE 2024-07-16 +00:00 updated Common_Consequences, Description, Diagram
CWE Content Team MITRE 2024-11-19 +00:00 updated Relationships
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Maintenance_Notes, Mapping_Notes, Observed_Examples, Relationships
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.