< ciso
brief />
Tag Banner

All news with #hardcoded credentials tag

62 articles

Undocumented backdoor in Tenda router firmware exposed

🔒 CERT/CC warns that an undocumented authentication backdoor in multiple Tenda router firmware versions (CVE-2026-11405) can grant administrative access via an alternate plaintext password stored in sys.rzadmin.password. The backdoor bypasses normal MD5 authentication in the '/bin/httpd' login() function, accepting any username if the backdoor password is supplied. No patch is available and Tenda could not be reached; users are advised to disable remote web management and restrict LAN exposure.
read more →

Yarbo robot mower backdoor exposes devices

🛠️ Independent researcher Andreas Makris discovered a universal hardcoded root password and permanent remote-access mechanism in Yarbo robotic mowers that allowed him to control thousands of units remotely. He demonstrated the flaw by hijacking a mower in the U.S. from Germany, showing how attackers could steer the machine, access cameras, and extract owner data. Yarbo has issued updates and plans to make remote access opt-in, but owners should install patches and follow basic IoT security hygiene.
read more →

Yarbo MQTT Credentials and Authorization Flaw

🔒 Yarbo mobile apps and cloud infrastructure expose hard-coded MQTT broker credentials and lack per-device authorization, enabling broad access to telemetry and command topics across the robot fleet. The vulnerability allows wildcard subscription to telemetry and publishing to individual robot command topics using only a serial number. Yarbo recommends updating the mobile app to 3.17.4 or later; server-side broker authorization will be enforced with the May 2026 update. CISA advises network restrictions, isolation behind firewalls, and use of secure remote access methods while organizations perform risk assessments.
read more →

KACO Blueplanet Inverters: Credential and SQL Injection Risk

🔒 KACO blueplanet inverters contain vulnerabilities that can expose service credentials and allow SQL injection against management components. Siemens and KACO new energy have released updates for some models and recommend updating to the latest firmware where fixes exist. Operators should minimize network exposure, segment control networks, and apply vendor security updates after validation and supervised deployment.
read more →

Malware threats imperil automated tank gauges

🔒 CISA warns that ongoing cyber-attacks on automated tank gauges (ATGs) could allow attackers to drain fuel tanks or hide theft and leaks, affecting gas stations, military bases, hospitals, and industrial sites. The attacks exploit authentication bypasses, hardcoded credentials, OS command execution, SQL injection, and privilege escalation to gain full control. Administrators are urged to remove public serial connections, change default passwords, apply patches, report incidents to CISA, and push supply-chain partners to adopt defenses.
read more →

NAVTOR NavBox hard-coded SOAP credentials fix

🔒 NAVTOR NavBox through version 4.16.1.20 contained hard-coded credentials in its Windows Communication Foundation (SOAP) implementation. If SOAP is enabled, a local attacker could extract those credentials to authenticate to privileged WCF methods and write or overwrite files within application-defined paths, disrupting operations. NAVTOR released a patch in April 2026; versions 4.17.2.6 and later include the fix, and connected NavBox users will be updated automatically.
read more →

XCharge C6 charger firmware and access vulnerabilities

🔒 CISA reports critical vulnerabilities in the XCharge C6 electric vehicle charging controller that could allow attackers to gain administrator rights or execute arbitrary code. A firmware update mechanism lacks signature validation, a stack-based buffer overflow exists in signal processing, and a management service exposes default credentials over the charging interface. XCharge has deployed updates for affected units; users should contact XCharge Support for details.
read more →

Hard-coded Credentials in USR-W610 Converter Exposed

🔒 The USR-W610 RS232/485 to Wi‑Fi/Ethernet Converter from Jinan USR IOT Technology Limited contains plaintext administrative credentials embedded in its firmware. These hard-coded credentials can be extracted through firmware analysis and used to authenticate to device services, enabling potential administrator access. CISA reports no confirmed public exploitation and encourages users to contact the vendor and apply updates where available. Mitigations include network segmentation, firewalling, and using secure remote access methods such as VPNs with current updates.
read more →

VDR G4e Firmware Update Fixes Credential Flaws

🔒 The MacGregor Voyage Data Recorder (VDR) G4e contains multiple credential management vulnerabilities, including default and hard-coded credentials, weak password hashing, and accessible authentication files that can allow an attacker to gain administrator access. Danelec has released firmware V5.250 to address these issues and users are urged to update at the next service attendance rather than waiting for annual maintenance. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using secure remote access methods such as up-to-date VPNs while performing risk assessments prior to deployment of mitigations.
read more →

ABB LVS MConfig: Cleartext Memory Exposure Fix

🔒 ABB disclosed a vulnerability in MConfig affecting versions listed by the vendor that allows sensitive data to be stored in cleartext in memory. An attacker with physical or local host access could export a memory dump that may include plaintext passwords. ABB released MConfig version 1.4.9.22 to remediate the issue and recommends applying defensive measures from the product manual.
read more →

Eppendorf BioFlo 320 VNC Hard‑coded Password Risk

🔒 The Eppendorf BioFlo 320 is affected by a high‑severity vulnerability (CVSS 9.8) due to a VNC server that uses a hard‑coded password. If remote access is enabled and an attacker knows the device's network address, they can gain full control of the controller interface; VNC traffic is unencrypted. Eppendorf has released Version 5.0 software that removes VNC access and urges users to verify VNC is disabled and restrict configuration changes to Admin and Supervisor roles.
read more →

Contractor Exposed CISA and GovCloud Credentials Publicly

🔒 A public GitHub repository tied to a suspected CISA contractor exposed plain-text credentials—AWS tokens, GitHub access tokens, Kubernetes files, workflows and internal documents—discovered on May 14 by GitGuardian. The repo, active since November 13, 2025, contained roughly 844 MB of data and was taken offline within a day after disclosure. CISA is investigating and reports no current indication of sensitive compromise. Experts recommend centralized secret management, automated secret scanning, strict vendor controls and MFA to prevent similar exposures.
read more →

Siemens Teamcenter vulnerabilities: patches and guidance

🔔 Siemens disclosed multiple vulnerabilities in Teamcenter that could affect availability, integrity, and confidentiality of affected installations. The vendor published patches across several builds and recommends administrators update to the indicated fixed versions (examples include V2312.0009, V2406.0006, V2412.0009, V2506.0005 and later). Identified issues include improper error checking (CWE-754), cross-site scripting (CWE-79), and hard‑coded credentials (CWE-798). CISA and Siemens advise minimizing network exposure, isolating control systems, applying vendor updates promptly, and following Siemens' industrial security guidance.
read more →

Edge Password Manager Keeps Credentials in Plaintext

🔒 A Norwegian researcher discovered that Microsoft Edge decrypts saved passwords at startup and keeps them resident in process memory, leaving credentials retrievable in plain text on shared or compromised machines. German publication Heise reproduced the finding, locating passwords even after a browser restart. Microsoft reportedly treats the behavior as 'by design,' prompting calls for using alternative password managers.
read more →

ABB B&R PVI client logs sensitive data vulnerability

🔒 ABB has released an update addressing a logging issue in its B&R PVI client that could expose sensitive information. Affected versions are PVI <6.5.0>; the issue is fixed in PVI 6.5.0 (CVE-2026-0936). The vulnerability can allow an authenticated local attacker to read credentials written to client-side logs, although logging is disabled by default. Customers should apply the update promptly and limit client logging to troubleshooting only.
read more →

Scan Finds Widespread Exposed AI Services and Risks

🔍 Intruder scanned over 1 million exposed AI services and found pervasive, critical misconfigurations and insecure defaults. Many deployments were reachable with no authentication, exposing chat histories, API keys, and management consoles. Exposed agent platforms (including n8n and Flowise) and thousands of Ollama APIs responded without auth, some wrapping paid frontier models. The findings highlight insecure-by-design defaults, hardcoded credentials, and real risks of code execution, data exfiltration, and abuse.
read more →

Cursor extension flaw exposes local API credentials

🔒 A high-severity vulnerability in the AI-powered development tool Cursor allows installed extensions to read sensitive credentials stored locally, researchers at LayerX report. The issue stems from Cursor keeping API keys, session tokens and cached configuration in an unprotected SQLite database rather than using OS keychains or encryption, and it does not restrict extension access. LayerX assigned the flaw a CVSS score of 8.2 and demonstrated silent exfiltration without user prompts. Cursor acknowledged the notice but said trust boundaries are the user's responsibility; as of 28 April 2026 the vulnerability remains unresolved.
read more →

Multiple critical vulnerabilities in SenseLive X3050 devices

⚠️ The CISA advisory reports multiple high-severity vulnerabilities in SenseLive X3050 (V1.523) that can allow an attacker on the network to bypass authentication, obtain administrative access, and perform unauthorized firmware operations. Affected issues include hard-coded credentials, missing authentication and authorization, insufficient session handling, cleartext management traffic, CSRF, and unsafe configuration controls that may destabilize device operation. CISA notes no known public exploitation to date; administrators should reduce exposure and contact the vendor.
read more →

Yokogawa CENTUM VP Hardcoded PROG Account Password

🔒 Yokogawa CENTUM VP contains a hardcoded password for the PROG account used in CENTUM Authentication Mode, tracked as CVE-2025-7741. Under specific conditions, an attacker with access to HIS screen controls could log in as PROG and modify permissions or configuration. The issue affects R5.x, R6.x, and vR7.01.00 product families; it is not remotely exploitable and has high attack complexity. Recommended mitigations include switching to Windows Authentication Mode or applying vendor patch R7.01.10.
read more →

Cloud Misconfigurations: The Multi-Billion Dollar Risk

🔒 Most major cloud breaches in recent years have stemmed from basic misconfigurations rather than sophisticated zero-days or custom malware. The article highlights incidents such as Snowflake (2024), AT&T, Ticketmaster and Capital One to show how exposed credentials, public storage buckets and missing controls led to vast data exposure. Immediate actions recommended are enabling MFA everywhere, enforcing account-level public access blockers, activating comprehensive logging across AWS/Azure/GCP, and prioritizing remediation of exposed buckets and keys, while longer-term fixes include CSPM tools and infrastructure-as-code security checks.
read more →