Home/CWE/Use of Hard-coded Credentials
Weakness

Use of Hard-coded Credentials

CWE-798 · Base · Draft

The product contains hard-coded credentials, such as a password or cryptographic key.

Extended description

There are two main variations: Inbound: the product contains an authentication mechanism that checks the input credentials against a hard-coded set of credentials. In this variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the product.

It can also be difficult for the administrator to detect. Outbound: the product connects to another system or component, and it contains hard-coded credentials for connecting to that component. This variant applies to front-end systems that authenticate with a back-end service.

The back-end service may require a fixed password that can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end product.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-1391 · Use of Weak Credentials
ChildOfCWE-287 · Improper Authentication
ChildOfCWE-344 · Use of Invariant Value in Dynamically Changing Context
ChildOfCWE-671 · Lack of Administrator Control over Security
Children (more specific)
ParentOfCWE-259 · Use of Hard-coded Password
ParentOfCWE-321 · Use of Hard-coded Cryptographic Key
Related
PeerOfCWE-257 · Storing Passwords in a Recoverable Format

Attack Patterns (CAPEC)

2
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-191Read Sensitive Constants Within an Executable
CAPEC-70Try Common or Default Usernames and Passwords

CVEs With This Weakness

1,961
A sample of the 1,961 CVEs tagged with this weakness.
CVECVE-2026-8032
CVECVE-2026-7579
CVECVE-2026-7414
CVECVE-2026-6610
CVECVE-2026-6578
CVECVE-2026-6574
CVECVE-2026-5189
CVECVE-2026-4993
CVECVE-2026-4832
CVECVE-2026-4475
CVECVE-2026-4404
CVECVE-2026-42869

Nuclei Scanner Templates

30
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalIBM Data Risk Manager - Hardcoded Credentials
criticalVue Vben Admin - Default Credentials
criticalCisco IOS XE WLC - Arbitrary File Upload
criticalAtlassian Questions For Confluence - Hardcoded Credentials
criticalGitLab CE/EE - Hard-Coded Credentials
criticalWAVLINK WN530HG4 - Improper Access Control
criticalWAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials
criticalWireless Multiplex Terminal Playout Server <=20.2.8 - Default Credential Detection
criticalEyesOfNetwork - Hardcoded API Key
criticalRuckus vRioT IoT Controller - Authentication Bypass
criticalMicro Focus UCMDB - Remote Code Execution
criticalEyesOfNetwork - Hardcoded API Key & SQL Injection
criticalEVlink City < R8 V3.4.0.1 - Authentication Bypass
criticalD-Link D-View 8 v2.0.1.28 - Authentication Bypass
criticalKubePi JwtSigKey - Admin Authentication Bypass
criticalSolarWinds Web Help Desk - Hardcoded Credential
criticalFour-Faith F3x36 - Authentication Bypass
criticalD-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution
criticalNetsweeper 4.0.5 - Default Weak Account
criticalPrismaWEB - Credentials Disclosure
criticalIBM MobileFirst Foundation - Default Credentials
criticalDVWA Default Login
highLucee - Unset Credentials
highGenieACS - Authentication Bypass (Default JWT Secret)
highSitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials
highLinear eMerge E3-Series - Information Disclosure
highFujitsu IP Series - Hardcoded Credentials
highNetmaker - Hardcoded DNS Secret Key
highifw8 Router ROM v4.31 - Credential Discovery
highWebmin - Default Login
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin