All news with #hardcoded credentials tag

🔒 Yokogawa CENTUM VP contains a hardcoded password for the PROG account used in CENTUM Authentication Mode, tracked as CVE-2025-7741. Under specific conditions, an attacker with access to HIS screen controls could log in as PROG and modify permissions or configuration. The issue affects R5.x, R6.x, and vR7.01.00 product families; it is not remotely exploitable and has high attack complexity. Recommended mitigations include switching to Windows Authentication Mode or applying vendor patch R7.01.10.

🔒 Most major cloud breaches in recent years have stemmed from basic misconfigurations rather than sophisticated zero-days or custom malware. The article highlights incidents such as Snowflake (2024), AT&T, Ticketmaster and Capital One to show how exposed credentials, public storage buckets and missing controls led to vast data exposure. Immediate actions recommended are enabling MFA everywhere, enforcing account-level public access blockers, activating comprehensive logging across AWS/Azure/GCP, and prioritizing remediation of exposed buckets and keys, while longer-term fixes include CSPM tools and infrastructure-as-code security checks.

🔒 Schneider Electric disclosed a hard‑coded credentials vulnerability in EcoStruxure IT Data Center Expert (DCE) that can lead to information disclosure and remote compromise when the SOCKS Proxy feature is enabled. Exploitation requires administrative access plus knowledge of PostgreSQL credentials; SOCKS Proxy is disabled by default. The issue is tracked as CVE‑2025‑13957 with a CVSS v3.1 base score of 7.2. Administrators should apply vendor updates or implement interim mitigations per the vendor handbook.

🔐The South Korean National Tax Service inadvertently published the mnemonic recovery phrase for a seized Ledger cold wallet when releasing photos from raids on high‑value tax evaders. The unredacted handwritten note allowed anyone to restore the wallet and transfer assets, and within hours 4 million Pre‑Retogeum (PRTG) tokens—about $4.8 million at the time—were moved out. The incident highlights operational security failures in handling digital evidence and the critical importance of redaction and custody procedures.

⚠️ CISA published an advisory for Trane Tracer SC, Tracer SC+, and Tracer Concierge reporting five vulnerabilities that could lead to information disclosure, arbitrary command execution, or denial-of-service. The issues (CVE-2026-28252 through CVE-2026-28256) include broken cryptography, excessive memory allocation, missing authorization, and hard-coded credentials/constants. Affected builds include Tracer SC < v4.4_SP7 and Tracer SC+/Concierge < v6.3.2310; Trane released Tracer SC+ v6.30.2313 to address these flaws. CISA advises isolating control networks, restricting remote access, applying vendor updates, and following ICS defensive best practices.

⚠️ Security researchers found widespread vulnerabilities across ten Android mental-health apps that together exceed 14.7 million installs and could expose highly sensitive therapy and medical data. Oversecured's scans from January 22–23, 2026 identified 1,575 issues — 54 high-, 538 medium-, and 983 low-severity — which could enable credential interception, HTML injection, spoofing, and location leaks. Findings include use of Intent.parseUri() on external input, plaintext API endpoints and hardcoded Firebase URLs, insecure token generation with java.util.Random, and overly permissive local file access.

🔐 CISA has directed Federal Civilian Executive Branch agencies to apply fixes within three days for a maximum-severity hardcoded-credential flaw in Dell RecoverPoint (CVE-2026-22769) after active exploitation was observed since mid-2024. Researchers at Mandiant and the Google Threat Intelligence Group link the activity to UNC6201, which deploys multiple payloads including a new Grimbolt backdoor. CISA added the issue to its Known Exploited Vulnerabilities catalog and invoked BOD 22-01 guidance, urging mitigations or product discontinuation if patches are unavailable.

🔒 Researchers report a China-linked APT exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) to achieve unauthenticated root command execution by leveraging hardcoded Apache Tomcat Manager credentials. Google’s Mandiant traced compromises to UNC6201, which deployed web shells and backdoors including BRICKSTORM and the newer GRIMBOLT. Dell released a patch (6.0.3.1 HF1) and a remediation script; customers are urged to upgrade and isolate appliances behind segmented networks.

⚠️ CISA announced the addition of two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2021-22175 (GitLab SSRF) and CVE-2026-22769 (Dell RecoverPoint for Virtual Machines hard-coded credentials). These issues represent common, high-risk attack vectors that can enable data access and unauthorized persistence. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by specified deadlines, and CISA strongly urges all organizations to prioritize remediation as part of routine vulnerability management.

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.

🔒 AutomationDirect reported two vulnerabilities in CLICK Programmable Logic Controllers (PLCs) — CVE-2025-67652 and CVE-2025-25051 — that expose stored credentials and weak encoding. Both issues carry a CVSS 3.1 base score of 6.1 (Medium) and affect C0-0x, C0-1x, and C2-x product versions. AutomationDirect recommends updating CLICK PLUS and PLC firmware to V3.90; until the update can be applied, implement compensating controls such as network isolation, restricted access, application whitelisting, and enhanced logging and monitoring. CISA notes these vulnerabilities are not exploitable remotely and no public exploitation has been reported.

🔒 Coupang disclosed a massive breach via a Form 8-K 28 days after discovering unauthorized access on Nov. 18, 2025, prompting a US securities class action that alleges the delay violated SEC rules requiring material incident disclosure within four business days. The complaint asserts CEO Bom Kim and CFO Gaurav Anand knew or recklessly disregarded inadequate cybersecurity controls that allowed a former employee to access customer data for nearly six months. Investigators found signing keys and authentication tokens were not revoked after the employee’s departure, exposing personal information from 33.7 million accounts and revealing systemic failures in key management. Coupang faces parallel scrutiny from South Korean authorities, potential fines, and ongoing litigation.

🔒 Mitsubishi Electric's GT Designer3 (Version1 for GOT2000 and GOT1000) stores project credentials in cleartext (CVE-2025-11009), allowing an attacker with access to a project file to recover plaintext credentials and illegitimately operate affected GOT devices. The issue is classified as Cleartext Storage of Sensitive Information (CWE-312) and has a CVSS v3.1 base score of 5.1 (Medium). Mitsubishi recommends limiting use to trusted LANs, blocking remote logins, using firewalls, VPNs, and antivirus, and avoiding untrusted files or links; CISA advises isolating control networks and minimizing internet exposure.

🔒 Huntress warns attackers are exploiting hardcoded AES keys in Gladinet file‑sharing products CentreStack and Triofox, allowing decryption and forging of access tickets. Because the server uses a static GenerateSecKey() output — identical AES key and IV strings — adversaries can retrieve sensitive files like web.config, extract the ASP.NET machine key, and craft trusted ViewState payloads to achieve remote code execution. Gladinet released fixes on December 8 (build 16.12.10420.56791); Huntress advises immediate patching or temporary replacement of machine keys and notes active exploitation across customer environments.

🔒 CISA warns that Mitsubishi Electric GX Works2 contains a cleartext storage vulnerability (CVE-2025-3784) that can expose credentials stored in project files. The issue affects all versions and may allow a local attacker with file access to open password-protected projects and read or modify project data. A vendor fix is under development; organizations should restrict access, block untrusted remote logins, and follow the mitigations recommended by Mitsubishi Electric and CISA.

🔒 CISA warns of two critical vulnerabilities in Sunbird DCIM dcTrack and Power IQ appliances that could enable unauthorized access or credential theft. One is an authentication bypass via alternate remote-access channels (CVE-2025-66238); the other involves hard‑coded/default credentials (CVE-2025-66237) with a CVSS v4 high score of 8.4. Sunbird has released fixes (dcTrack 9.2.3, Power IQ 9.2.1); until systems are updated, CISA recommends restricting SSH and nonessential ports, changing deployment passwords, isolating control networks behind firewalls, and using secure VPNs for remote access.

🔓 Researchers at external attack surface management firm watchTowr discovered more than 80,000 JSON snippets saved via JSONFormatter and CodeBeautify's unprotected Recent Links feature, exposing credentials, private keys, tokens, and configuration files. The platforms generated predictable, shareable URLs when users saved snippets and stored them without access controls, allowing anyone to scrape content via the services' APIs. Leaked material spans government, finance, healthcare, telecoms, and other sensitive sectors. watchTowr's Canarytoken test showed attackers accessed planted fake AWS keys after links had expired, indicating active scanning.

🔓 Researchers discovered that the code-formatting services JSONFormatter and CodeBeautify exposed more than 80,000 user-saved JSON pastes totaling over 5GB via an unprotected Recent Links feature. The listings and predictable URLs allowed simple crawlers to enumerate and retrieve sensitive data including credentials, API keys, private keys, and PII. The findings show active scraping and confirmed access attempts after uploads expired.

⚠️ CISA published an advisory on November 13, 2025, warning that Brightpick AI devices — Mission Control and Internal Logic Control — contain multiple high-severity weaknesses that are remotely exploitable. Tracked as CVE-2025-64307, CVE-2025-64308, and CVE-2025-64309, the issues include missing authentication, hardcoded credentials in client-side JavaScript, and an unauthenticated WebSocket endpoint. Calculated scores reach up to CVSS v4 8.7, and CISA advises isolating affected systems, minimizing network exposure, and using secure remote access while conducting impact assessments.

🔒 SAP released November security updates addressing a maximum-severity (10.0) hardcoded credentials flaw in the non-GUI component of SQL Anywhere Monitor (CVE-2025-42890) and a critical code-injection issue in SAP Solution Manager (CVE-2025-42887). The embedded credentials could allow attackers to access administrative functions and potentially execute arbitrary code. Administrators should apply updates and follow SAP mitigation guidance promptly.