| Severity | Description | ||||||
|---|---|---|---|---|---|---|---|
| CVE-2026-58453 | Critical | 9.8 v3 | - | - | -No fix available yet | 2026-07-01 | JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface. |
| CVE-2026-46386 | Critical | 9.9 v3 | 0.3% | - | -No fix available yet | 2026-06-26 | OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in . |
| CVE-2026-44273 | Medium | 6.0 v3 | 0.1% | - | Fix available | 2026-06-22 | Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain a Use of Default Credentials vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information Disclosure. |
| CVE-2026-32652 | High | 7.8 v3 | 0.1% | - | Fix available | 2026-06-17 | Dell AIOps Collector versions prior to 1.18.3 contain a "Use of Default Credentials" vulnerability. A low privileged attacker with console access could potentially exploit this vulnerability to gain Filesystem access. This vulnerability only affects fresh installations of Collector versions earlier than 1.18.3. Systems that have been upgraded (either manually or automatically) to version 1.18.3 or later are not impacted, even if they were originally installed on an earlier version. |
| CVE-2026-50005 | High | 7.7 v3 | 0.2% | - | -No fix available yet | 2026-06-11 | Brickcom cameras ship with default credentials that allows any unauthenticated remote attacker to silently access camera feeds. |
| CVE-2026-9844 | High | 8.8 v4 | 0.2% | - | -No fix available yet | 2026-06-02 | Use of default credentials vulnerability in Roche Diagnostics navify Digital Pathology (RabbitMQ Management interface modules) allows Default Usernames and Passwords. This issue affects navify Digital Pathology: from 2.0.0 before 2.4.1. |
| CVE-2026-42941 | High | 8.3 v3 | 0.2% | - | Fix available | 2026-05-29 | The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change. |
| CVE-2026-45039 | Critical | 9.8 v3 | 0.3% | - | -No fix available yet | 2026-05-28 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2. |
| CVE-2026-7365 | High | 8.4 v3 | 0.1% | - | -No fix available yet | 2026-05-27 | IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication. |
| CVE-2025-36221 | Medium | 5.3 v3 | 0.3% | - | Fix available | 2026-05-26 | IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication. |
| CVE-2026-44159 | Critical | 9.8 v3 | 0.5% | - | -No fix available yet | 2026-05-19 | Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021. |
| CVE-2026-7428 | Critical | 9.2 v4 | 0.2% | - | -No fix available yet | 2026-05-12 | Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it. |
| CVE-2026-42072 | Critical | 9.8 v3 | 0.4% | - | -No fix available yet | 2026-05-08 | Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database — with its default admin:password credentials — to any device sharing the network. This issue has been patched in version 1.0.42-hotfix. |
| CVE-2023-27573 | Critical | 9.0 v3 | 0.5% | - | Fix available | 2026-03-11 | netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment. |
| CVE-2026-31837 | High | 7.5 v3 | 0.4% | - | Fix available | 2026-03-10 | Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8. |
| CVE-2026-28713 | High | 7.1 v3 | 0.2% | - | Fix available | 2026-03-06 | Default credentials set for local privileged user in Virtual Appliance. The following products are affected: Acronis Cyber Protect Cloud Agent (VMware) before build 36943, Acronis Cyber Protect 17 (VMware) before build 41186. |
| CVE-2026-22886 | Critical | 9.8 v3 | 0.4% | - | -No fix available yet | 2026-03-03 | OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features. |
| CVE-2026-27751 | Critical | 9.8 v3 | 0.4% | - | -No fix available yet | 2026-02-27 | SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attackers can authenticate using the hardcoded default credentials without password change enforcement to gain full administrative control of the device. |
| CVE-2026-26341 | Critical | 9.8 v3 | 2.7% | - | -No fix available yet | 2026-02-24 | Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data. |
| CVE-2026-26366 | Critical | 9.8 v3 | 0.7% | - | -No fix available yet | 2026-02-15 | eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitive smart home configuration and control functions. |
| CVE-2025-54756 | High | 8.4 v3 | 0.1% | - | -No fix available yet | 2026-02-12 | BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 use a default password that is guessable with knowledge of the device information. The latest release fixes this issue for new installations; users of old installations are encouraged to change all default passwords. |
| CVE-2026-1972 | Medium | 5.3 v3 | 0.6% | - | -No fix available yet | 2026-02-06 | A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer. |
| CVE-2026-1803 | High | 8.1 v3 | 0.6% | - | -No fix available yet | 2026-02-03 | A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
| CVE-2025-7740 | Unscored | - | 0.2% | - | -No fix available yet | 2026-01-28 | Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment. |
| CVE-2025-59108 | Unscored | - | 0.4% | - | -No fix available yet | 2026-01-26 | By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced. |
| CVE-2026-22273 | High | 8.8 v3 | 0.3% | - | Fix available | 2026-01-23 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
| CVE-2025-58744 | High | 7.5 v3 | 0.1% | - | Fix available | 2026-01-20 | Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. |
| CVE-2020-36915 | High | 7.5 v3 | 0.3% | - | -No fix available yet | 2026-01-06 | Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions. |
| CVE-2022-50803 | Critical | 9.8 v3 | 0.4% | - | -No fix available yet | 2025-12-30 | JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges. |
| CVE-2018-25147 | High | 7.5 v3 | 0.3% | - | -No fix available yet | 2025-12-24 | Microhard Systems IPn4G 1.1.0 contains hardcoded default credentials that cannot be changed through normal gateway operations. Attackers can exploit these default credentials to gain unauthorized root-level access to the device by logging in with predefined username and password combinations. |
| CVE-2021-47707 | Unscored | - | 0.3% | - | -No fix available yet | 2025-12-09 | COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream. Attackers can exploit this by sending a POST request with the 'passkey' parameter set to '1234', allowing them to access the web control panel. |
| CVE-2025-54303 | Critical | 9.8 v3 | 0.3% | - | -No fix available yet | 2025-12-04 | The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges. |
| CVE-2025-12592 | Unscored | - | 0.3% | - | -No fix available yet | 2025-11-19 | Legacy Vivotek Device firmware uses default credetials for the root and user login accounts. |
| CVE-2025-12218 | Critical | 9.1 v3 | 0.3% | - | Fix available | 2025-10-25 | Weak Default Credentials.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. |
| CVE-2025-12217 | Critical | 9.1 v3 | 0.3% | - | Fix available | 2025-10-25 | SNMP Default Community String (public).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. |
| CVE-2025-10678 | Unscored | - | 0.4% | - | -No fix available yet | 2025-10-20 | NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed. This issue has been fixed in version 0.57.0 |
| CVE-2025-11943 | High | 7.3 v3 | 0.7% | - | -No fix available yet | 2025-10-19 | A vulnerability has been found in 70mai X200 up to 20251010. Affected by this vulnerability is an unknown functionality of the component HTTP Web Server. The manipulation leads to use of default credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| CVE-2025-34516 | Critical | 9.8 v3 | 0.5% | - | -No fix available yet | 2025-10-16 | Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a use of default credentials vulnerability that allows an unauthenticated attacker to obtain remote access. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet. |
| CVE-2025-10542 | Critical | 9.8 v3 | 0.7% | - | -No fix available yet | 2025-09-25 | iMonitor EAM 9.6394 ships with default administrative credentials that are also displayed within the management client’s connection dialog. If the administrator does not change these defaults, a remote attacker can authenticate to the EAM server and gain full control over monitored agents and data. This enables reading highly sensitive telemetry (including keylogger output) and issuing arbitrary actions to all connected clients. |
| CVE-2025-35042 | Critical | 9.8 v3 | 0.4% | - | Fix available | 2025-09-22 | Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges of this account. Fixed in 10.2.35, 11.0.21, and 11.1.9. |
| CVE-2025-55110 | Medium | 5.5 v3 | 0.1% | - | -No fix available yet | 2025-09-16 | Control-M/Agents use a kdb or PKCS#12 keystore by default, and the default keystore password is well known and documented. An attacker with read access to the keystore could access sensitive data using this password. |
| CVE-2025-55051 | Critical | 10.0 v3 | 0.3% | - | -No fix available yet | 2025-09-09 | CWE-1392: Use of Default Credentials |
| CVE-2025-35452 | Critical | 9.8 v3 | 0.8% | - | -No fix available yet | 2025-09-05 | PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface. |
| CVE-2025-9577 | Low | 2.5 v3 | 0.2% | - | -No fix available yet | 2025-08-28 | A security flaw has been discovered in TOTOLINK X2000R up to 2.0.0. The affected element is an unknown function of the file /etc/shadow.sample of the component Administrative Interface. The manipulation results in use of default credentials. Attacking locally is a requirement. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be exploited. |
| CVE-2025-9576 | Low | 2.5 v3 | 0.2% | - | -No fix available yet | 2025-08-28 | A vulnerability was identified in seeedstudio ReSpeaker LinkIt7688. Impacted is an unknown function of the file /etc/shadow of the component Administrative Interface. The manipulation leads to use of default credentials. An attack has to be approached locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| CVE-2025-35114 | High | 7.5 v3 | 0.3% | - | Fix available | 2025-08-26 | Agiloft Release 28 contains several accounts with default credentials that could allow local privilege escalation. The password hash is known for at least one of the accounts and the credentials could be cracked offline. Users should upgrade to Agiloft Release 30. |
| CVE-2025-29525 | Medium | 5.3 v3 | 0.3% | - | -No fix available yet | 2025-08-25 | DASAN GPON ONU H660WM OS version H660WMR210825 Hardware version DS-E5-583-A1 was discovered to contain insecure default credentials in the modem's control panel. |
| CVE-2025-29521 | Medium | 5.3 v3 | 0.5% | - | -No fix available yet | 2025-08-25 | Insecure default credentials for the Adminsitrator account of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to escalate privileges via a bruteforce attack. |
| CVE-2025-55740 | Medium | 6.5 v3 | 0.2% | - | -No fix available yet | 2025-08-19 | nginx-defender is a high-performance, enterprise-grade Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml and docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections. The issue is addressed in v1.5.0 and later. |
| CVE-2025-2184 | Unscored | - | 0.2% | - | -No fix available yet | 2025-08-13 | A credential management flaw in Palo Alto Networks Cortex XDR® Broker VM causes different Broker VM images to share identical default credentials for internal services. Users knowing these default credentials could access internal services on other Broker VM installations. The attacker must have network access to the Broker VM to exploit this issue. |
- CriticalCVSS 9.8 v3·EPSS -·No fix yet
JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.
Published 2026-07-01
- CriticalCVSS 9.9 v3·EPSS 0.3%·No fix yet
OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .
Published 2026-06-26
- MediumCVSS 6.0 v3·EPSS 0.1%·Fix available
Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain a Use of Default Credentials vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information Disclosure.
Published 2026-06-22
- HighCVSS 7.8 v3·EPSS 0.1%·Fix available
Dell AIOps Collector versions prior to 1.18.3 contain a "Use of Default Credentials" vulnerability. A low privileged attacker with console access could potentially exploit this vulnerability to gain Filesystem access. This vulnerability only affects fresh installations of Collector versions earlier than 1.18.3. Systems that have been upgraded (either manually or automatically) to version 1.18.3 or later are not impacted, even if they were originally installed on an earlier version.
Published 2026-06-17
- HighCVSS 7.7 v3·EPSS 0.2%·No fix yet
Brickcom cameras ship with default credentials that allows any unauthenticated remote attacker to silently access camera feeds.
Published 2026-06-11
- HighCVSS 8.8 v4·EPSS 0.2%·No fix yet
Use of default credentials vulnerability in Roche Diagnostics navify Digital Pathology (RabbitMQ Management interface modules) allows Default Usernames and Passwords. This issue affects navify Digital Pathology: from 2.0.0 before 2.4.1.
Published 2026-06-02
- HighCVSS 8.3 v3·EPSS 0.2%·Fix available
The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change.
Published 2026-05-29
- CriticalCVSS 9.8 v3·EPSS 0.3%·No fix yet
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.
Published 2026-05-28
- HighCVSS 8.4 v3·EPSS 0.1%·No fix yet
IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication.
Published 2026-05-27
- MediumCVSS 5.3 v3·EPSS 0.3%·Fix available
IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication.
Published 2026-05-26
- CriticalCVSS 9.8 v3·EPSS 0.5%·No fix yet
Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021.
Published 2026-05-19
- CriticalCVSS 9.2 v4·EPSS 0.2%·No fix yet
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.
Published 2026-05-12
- CriticalCVSS 9.8 v3·EPSS 0.4%·No fix yet
Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database — with its default admin:password credentials — to any device sharing the network. This issue has been patched in version 1.0.42-hotfix.
Published 2026-05-08
- CriticalCVSS 9.0 v3·EPSS 0.5%·Fix available
netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment.
Published 2026-03-11
- HighCVSS 7.5 v3·EPSS 0.4%·Fix available
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
Published 2026-03-10
- HighCVSS 7.1 v3·EPSS 0.2%·Fix available
Default credentials set for local privileged user in Virtual Appliance. The following products are affected: Acronis Cyber Protect Cloud Agent (VMware) before build 36943, Acronis Cyber Protect 17 (VMware) before build 41186.
Published 2026-03-06
- CriticalCVSS 9.8 v3·EPSS 0.4%·No fix yet
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.
Published 2026-03-03
- CriticalCVSS 9.8 v3·EPSS 0.4%·No fix yet
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attackers can authenticate using the hardcoded default credentials without password change enforcement to gain full administrative control of the device.
Published 2026-02-27
- CriticalCVSS 9.8 v3·EPSS 2.7%·No fix yet
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior ship with default credentials that are not forced to be changed during installation or commissioning. An attacker who can reach the management interface can authenticate using the default credentials and gain administrative access, enabling unauthorized access to device configuration and data.
Published 2026-02-24
- CriticalCVSS 9.8 v3·EPSS 0.7%·No fix yet
eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitive smart home configuration and control functions.
Published 2026-02-15
- HighCVSS 8.4 v3·EPSS 0.1%·No fix yet
BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 use a default password that is guessable with knowledge of the device information. The latest release fixes this issue for new installations; users of old installations are encouraged to change all default passwords.
Published 2026-02-12
- MediumCVSS 5.3 v3·EPSS 0.6%·No fix yet
A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer.
Published 2026-02-06
- HighCVSS 8.1 v3·EPSS 0.6%·No fix yet
A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published 2026-02-03
- UnscoredCVSS -·EPSS 0.2%·No fix yet
Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment.
Published 2026-01-28
- UnscoredCVSS -·EPSS 0.4%·No fix yet
By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced.
Published 2026-01-26
- HighCVSS 8.8 v3·EPSS 0.3%·Fix available
Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.
Published 2026-01-23
- HighCVSS 7.5 v3·EPSS 0.1%·Fix available
Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808.
Published 2026-01-20
- HighCVSS 7.5 v3·EPSS 0.3%·No fix yet
Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions.
Published 2026-01-06
- CriticalCVSS 9.8 v3·EPSS 0.4%·No fix yet
JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges.
Published 2025-12-30
- HighCVSS 7.5 v3·EPSS 0.3%·No fix yet
Microhard Systems IPn4G 1.1.0 contains hardcoded default credentials that cannot be changed through normal gateway operations. Attackers can exploit these default credentials to gain unauthorized root-level access to the device by logging in with predefined username and password combinations.
Published 2025-12-24
- UnscoredCVSS -·EPSS 0.3%·No fix yet
COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream. Attackers can exploit this by sending a POST request with the 'passkey' parameter set to '1234', allowing them to access the web control panel.
Published 2025-12-09
- CriticalCVSS 9.8 v3·EPSS 0.3%·No fix yet
The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges.
Published 2025-12-04
- UnscoredCVSS -·EPSS 0.3%·No fix yet
Legacy Vivotek Device firmware uses default credetials for the root and user login accounts.
Published 2025-11-19
- CriticalCVSS 9.1 v3·EPSS 0.3%·Fix available
Weak Default Credentials.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
Published 2025-10-25
- CriticalCVSS 9.1 v3·EPSS 0.3%·Fix available
SNMP Default Community String (public).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
Published 2025-10-25
- UnscoredCVSS -·EPSS 0.4%·No fix yet
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed. This issue has been fixed in version 0.57.0
Published 2025-10-20
- HighCVSS 7.3 v3·EPSS 0.7%·No fix yet
A vulnerability has been found in 70mai X200 up to 20251010. Affected by this vulnerability is an unknown functionality of the component HTTP Web Server. The manipulation leads to use of default credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published 2025-10-19
- CriticalCVSS 9.8 v3·EPSS 0.5%·No fix yet
Ilevia EVE X1 Server firmware versions ≤ 4.7.18.0.eden contain a use of default credentials vulnerability that allows an unauthenticated attacker to obtain remote access. Ilevia has declined to service this vulnerability, and recommends that customers not expose port 8080 to the internet.
Published 2025-10-16
- CriticalCVSS 9.8 v3·EPSS 0.7%·No fix yet
iMonitor EAM 9.6394 ships with default administrative credentials that are also displayed within the management client’s connection dialog. If the administrator does not change these defaults, a remote attacker can authenticate to the EAM server and gain full control over monitored agents and data. This enables reading highly sensitive telemetry (including keylogger output) and issuing arbitrary actions to all connected clients.
Published 2025-09-25
- CriticalCVSS 9.8 v3·EPSS 0.4%·Fix available
Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges of this account. Fixed in 10.2.35, 11.0.21, and 11.1.9.
Published 2025-09-22
- MediumCVSS 5.5 v3·EPSS 0.1%·No fix yet
Control-M/Agents use a kdb or PKCS#12 keystore by default, and the default keystore password is well known and documented. An attacker with read access to the keystore could access sensitive data using this password.
Published 2025-09-16
- CriticalCVSS 10.0 v3·EPSS 0.3%·No fix yet
CWE-1392: Use of Default Credentials
Published 2025-09-09
- CriticalCVSS 9.8 v3·EPSS 0.8%·No fix yet
PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface.
Published 2025-09-05
- CVSS 2.5 v3·EPSS 0.2%·No fix yet
A security flaw has been discovered in TOTOLINK X2000R up to 2.0.0. The affected element is an unknown function of the file /etc/shadow.sample of the component Administrative Interface. The manipulation results in use of default credentials. Attacking locally is a requirement. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be exploited.
Published 2025-08-28
- CVSS 2.5 v3·EPSS 0.2%·No fix yet
A vulnerability was identified in seeedstudio ReSpeaker LinkIt7688. Impacted is an unknown function of the file /etc/shadow of the component Administrative Interface. The manipulation leads to use of default credentials. An attack has to be approached locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published 2025-08-28
- HighCVSS 7.5 v3·EPSS 0.3%·Fix available
Agiloft Release 28 contains several accounts with default credentials that could allow local privilege escalation. The password hash is known for at least one of the accounts and the credentials could be cracked offline. Users should upgrade to Agiloft Release 30.
Published 2025-08-26
- MediumCVSS 5.3 v3·EPSS 0.3%·No fix yet
DASAN GPON ONU H660WM OS version H660WMR210825 Hardware version DS-E5-583-A1 was discovered to contain insecure default credentials in the modem's control panel.
Published 2025-08-25
- MediumCVSS 5.3 v3·EPSS 0.5%·No fix yet
Insecure default credentials for the Adminsitrator account of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to escalate privileges via a bruteforce attack.
Published 2025-08-25
- MediumCVSS 6.5 v3·EPSS 0.2%·No fix yet
nginx-defender is a high-performance, enterprise-grade Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml and docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections. The issue is addressed in v1.5.0 and later.
Published 2025-08-19
- UnscoredCVSS -·EPSS 0.2%·No fix yet
A credential management flaw in Palo Alto Networks Cortex XDR® Broker VM causes different Broker VM images to share identical default credentials for internal services. Users knowing these default credentials could access internal services on other Broker VM installations. The attacker must have network access to the Broker VM to exploit this issue.
Published 2025-08-13
Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.