ReportizFlow
Filtered by vendor
Subscriptions
Total
67 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-23012 | 1 Fedorarepository | 1 Fcrepo | 2025-10-07 | 7.5 High |
| Fedora Repository 3.8.x includes a service account (fedoraIntCallUser) with default credentials and privileges to read read local files by manipulating datastreams. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23). | ||||
| CVE-2025-35042 | 1 Airship Ai | 1 Acropolis | 2025-09-30 | 9.8 Critical |
| Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges of this account. Fixed in 10.2.35, 11.0.21, and 11.1.9. | ||||
| CVE-2025-10542 | 1 Imonitor | 1 Imonitor Eam | 2025-09-29 | 9.8 Critical |
| iMonitor EAM 9.6394 ships with default administrative credentials that are also displayed within the management client’s connection dialog. If the administrator does not change these defaults, a remote attacker can authenticate to the EAM server and gain full control over monitored agents and data. This enables reading highly sensitive telemetry (including keylogger output) and issuing arbitrary actions to all connected clients. | ||||
| CVE-2024-12856 | 1 Four-faith | 4 F3x24, F3x24 Firmware, F3x36 and 1 more | 2025-09-25 | 7.2 High |
| The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue. | ||||
| CVE-2025-51536 | 1 Craws | 1 Openatlas | 2025-09-23 | 9.8 Critical |
| Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password. | ||||
| CVE-2025-51535 | 2 Austrian Archaeological Institute, Craws | 2 Openatlas, Openatlas | 2025-09-20 | 9.1 Critical |
| Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a SQL injection vulnerability. | ||||
| CVE-2025-55110 | 1 Bmc | 1 Control-m/agent | 2025-09-17 | 5.5 Medium |
| Control-M/Agents use a kdb or PKCS#12 keystore by default, and the default keystore password is well known and documented. An attacker with read access to the keystore could access sensitive data using this password. | ||||
| CVE-2025-8530 | 2 Eladmin, Elunez | 2 Eladmin, Eladmin | 2025-09-12 | 5.3 Medium |
| A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by this issue is some unknown functionality of the file eladmin-system\src\main\resources\config\application-prod.yml of the component Druid. The manipulation of the argument login-username/login-password leads to use of default credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-55051 | 2025-09-11 | 10 Critical | ||
| CWE-1392: Use of Default Credentials | ||||
| CVE-2025-9577 | 1 Totolink | 2 X2000r, X2000r Firmware | 2025-09-09 | 2.5 Low |
| A security flaw has been discovered in TOTOLINK X2000R up to 2.0.0. The affected element is an unknown function of the file /etc/shadow.sample of the component Administrative Interface. The manipulation results in use of default credentials. Attacking locally is a requirement. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-9576 | 1 Seeedstudio | 2 Linkit Smart 7688, Linkit Smart 7688 Firmware | 2025-09-09 | 2.5 Low |
| A vulnerability was identified in seeedstudio ReSpeaker LinkIt7688. Impacted is an unknown function of the file /etc/shadow of the component Administrative Interface. The manipulation leads to use of default credentials. An attack has to be approached locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-35452 | 2025-09-08 | 9.8 Critical | ||
| PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface. | ||||
| CVE-2025-29521 | 1 Dlink | 2 Dsl-7740c, Dsl-7740c Firmware | 2025-09-02 | 5.3 Medium |
| Insecure default credentials for the Adminsitrator account of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to escalate privileges via a bruteforce attack. | ||||
| CVE-2025-35114 | 2 Agiloft, Atlassian | 2 Agiloft, Agiloft | 2025-09-02 | 7.5 High |
| Agiloft Release 28 contains several accounts with default credentials that could allow local privilege escalation. The password hash is known for at least one of the accounts and the credentials could be cracked offline. Users should upgrade to Agiloft Release 30. | ||||
| CVE-2024-6535 | 1 Redhat | 1 Service Interconnect | 2025-08-31 | 5.3 Medium |
| A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie. | ||||
| CVE-2023-40704 | 1 Philips | 1 Vue Pacs | 2025-08-27 | 6.8 Medium |
| The product does not require unique and complex passwords to be created during installation. Using Philips's default password could jeopardize the PACS system if the password was hacked or leaked. An attacker could gain access to the database impacting system availability and data integrity. | ||||
| CVE-2025-29525 | 1 Dasan | 1 H660wm | 2025-08-26 | 5.3 Medium |
| DASAN GPON ONU H660WM OS version H660WMR210825 Hardware version DS-E5-583-A1 was discovered to contain insecure default credentials in the modem's control panel. | ||||
| CVE-2025-54137 | 2 Haxtheweb, Psu | 2 Haxcms-nodejs, Haxcms-nodejs | 2025-08-22 | 7.3 High |
| HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI. An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks. This is fixed in version 11.0.10. | ||||
| CVE-2024-6788 | 1 Phoenixcontact | 12 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 9 more | 2025-08-22 | 8.6 High |
| A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user “user-app” to the default password. | ||||
| CVE-2025-55740 | 1 Nginx-defender Project | 1 Nginx-defender | 2025-08-21 | 6.5 Medium |
| nginx-defender is a high-performance, enterprise-grade Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml and docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections. The issue is addressed in v1.5.0 and later. | ||||