All news with #hardcoded credentials tag

⚠️ CISA announced the addition of two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2021-22175 (GitLab SSRF) and CVE-2026-22769 (Dell RecoverPoint for Virtual Machines hard-coded credentials). These issues represent common, high-risk attack vectors that can enable data access and unauthorized persistence. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by specified deadlines, and CISA strongly urges all organizations to prioritize remediation as part of routine vulnerability management.

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.

🔒 AutomationDirect reported two vulnerabilities in CLICK Programmable Logic Controllers (PLCs) — CVE-2025-67652 and CVE-2025-25051 — that expose stored credentials and weak encoding. Both issues carry a CVSS 3.1 base score of 6.1 (Medium) and affect C0-0x, C0-1x, and C2-x product versions. AutomationDirect recommends updating CLICK PLUS and PLC firmware to V3.90; until the update can be applied, implement compensating controls such as network isolation, restricted access, application whitelisting, and enhanced logging and monitoring. CISA notes these vulnerabilities are not exploitable remotely and no public exploitation has been reported.

🔒 Coupang disclosed a massive breach via a Form 8-K 28 days after discovering unauthorized access on Nov. 18, 2025, prompting a US securities class action that alleges the delay violated SEC rules requiring material incident disclosure within four business days. The complaint asserts CEO Bom Kim and CFO Gaurav Anand knew or recklessly disregarded inadequate cybersecurity controls that allowed a former employee to access customer data for nearly six months. Investigators found signing keys and authentication tokens were not revoked after the employee’s departure, exposing personal information from 33.7 million accounts and revealing systemic failures in key management. Coupang faces parallel scrutiny from South Korean authorities, potential fines, and ongoing litigation.

🔒 Mitsubishi Electric's GT Designer3 (Version1 for GOT2000 and GOT1000) stores project credentials in cleartext (CVE-2025-11009), allowing an attacker with access to a project file to recover plaintext credentials and illegitimately operate affected GOT devices. The issue is classified as Cleartext Storage of Sensitive Information (CWE-312) and has a CVSS v3.1 base score of 5.1 (Medium). Mitsubishi recommends limiting use to trusted LANs, blocking remote logins, using firewalls, VPNs, and antivirus, and avoiding untrusted files or links; CISA advises isolating control networks and minimizing internet exposure.

🔒 Huntress warns attackers are exploiting hardcoded AES keys in Gladinet file‑sharing products CentreStack and Triofox, allowing decryption and forging of access tickets. Because the server uses a static GenerateSecKey() output — identical AES key and IV strings — adversaries can retrieve sensitive files like web.config, extract the ASP.NET machine key, and craft trusted ViewState payloads to achieve remote code execution. Gladinet released fixes on December 8 (build 16.12.10420.56791); Huntress advises immediate patching or temporary replacement of machine keys and notes active exploitation across customer environments.

🔒 CISA warns of two critical vulnerabilities in Sunbird DCIM dcTrack and Power IQ appliances that could enable unauthorized access or credential theft. One is an authentication bypass via alternate remote-access channels (CVE-2025-66238); the other involves hard‑coded/default credentials (CVE-2025-66237) with a CVSS v4 high score of 8.4. Sunbird has released fixes (dcTrack 9.2.3, Power IQ 9.2.1); until systems are updated, CISA recommends restricting SSH and nonessential ports, changing deployment passwords, isolating control networks behind firewalls, and using secure VPNs for remote access.

🔒 CISA warns that Mitsubishi Electric GX Works2 contains a cleartext storage vulnerability (CVE-2025-3784) that can expose credentials stored in project files. The issue affects all versions and may allow a local attacker with file access to open password-protected projects and read or modify project data. A vendor fix is under development; organizations should restrict access, block untrusted remote logins, and follow the mitigations recommended by Mitsubishi Electric and CISA.

🔓 Researchers at external attack surface management firm watchTowr discovered more than 80,000 JSON snippets saved via JSONFormatter and CodeBeautify's unprotected Recent Links feature, exposing credentials, private keys, tokens, and configuration files. The platforms generated predictable, shareable URLs when users saved snippets and stored them without access controls, allowing anyone to scrape content via the services' APIs. Leaked material spans government, finance, healthcare, telecoms, and other sensitive sectors. watchTowr's Canarytoken test showed attackers accessed planted fake AWS keys after links had expired, indicating active scanning.

🔓 Researchers discovered that the code-formatting services JSONFormatter and CodeBeautify exposed more than 80,000 user-saved JSON pastes totaling over 5GB via an unprotected Recent Links feature. The listings and predictable URLs allowed simple crawlers to enumerate and retrieve sensitive data including credentials, API keys, private keys, and PII. The findings show active scraping and confirmed access attempts after uploads expired.

⚠️ CISA published an advisory on November 13, 2025, warning that Brightpick AI devices — Mission Control and Internal Logic Control — contain multiple high-severity weaknesses that are remotely exploitable. Tracked as CVE-2025-64307, CVE-2025-64308, and CVE-2025-64309, the issues include missing authentication, hardcoded credentials in client-side JavaScript, and an unauthenticated WebSocket endpoint. Calculated scores reach up to CVSS v4 8.7, and CISA advises isolating affected systems, minimizing network exposure, and using secure remote access while conducting impact assessments.

🔒 SAP released November security updates addressing a maximum-severity (10.0) hardcoded credentials flaw in the non-GUI component of SQL Anywhere Monitor (CVE-2025-42890) and a critical code-injection issue in SAP Solution Manager (CVE-2025-42887). The embedded credentials could allow attackers to access administrative functions and potentially execute arbitrary code. Administrators should apply updates and follow SAP mitigation guidance promptly.

🔒 CISA warns that Ubia's Ubox firmware (v1.1.124) exposes API credentials, potentially allowing remote attackers to access backend services. Successful exploitation could permit viewing live camera feeds or modifying device settings. The issue is tracked as CVE-2025-12636 with a CVSS v4 base score of 7.1. Users should minimize network exposure, isolate devices behind firewalls, use secure remote-access methods such as VPNs, and contact Ubia support for guidance.

🏛 Thieves brazenly used a furniture elevator to access a second‑floor window and stole historic jewels worth about €88 million from display cases at the Louvre in October 2025. French authorities say the alarms on the affected window and cases functioned as intended, but the theft prompted a comprehensive security review and urgent recommendations for new governance, extra perimeter cameras, and updated protocols. Confidential audits cited by Libération document chronic IT weaknesses since 2014 — systems running Windows 2000 and weak password hygiene, including a video server reportedly protected by the password "LOUVRE".

🏛 The Louvre has struggled for more than a decade with outdated software and unsupported Windows systems that control critical security infrastructure, French reports say. Audits in 2014 and 2017 found workstations running Windows 2000 and Windows XP, along with a video server still on Windows Server 2003 and weak, hard-coded passwords on surveillance applications. Procurement records also list multiple Thales systems as "software that cannot be updated." Authorities ordered governance and security reforms after a recent jewelry theft, though there is no indication the IT issues directly enabled that burglary.

🔒 Open VSX rotated access tokens after developers accidentally leaked credentials in public repositories, a lapse that allowed attackers to publish malicious VS Code–compatible extensions in a supply‑chain campaign. The Eclipse Foundation says the threat, linked to a campaign dubbed GlassWorm, was contained by Oct 21 after malicious extensions were removed and tokens revoked. The registry plans shorter token lifetimes, faster revocation workflows, automated publication scans, and increased collaboration with other marketplaces to reduce future risk.

⚠️ CISA warns that the Dingtian DT-R002 relay board contains two Insufficiently Protected Credentials vulnerabilities (CVE-2025-10879, CVE-2025-10880) that allow unauthenticated attackers to retrieve a username and extract the proprietary protocol password. Both flaws affect all versions, are remotely exploitable with low complexity, and carry CVSS v4 base scores of 8.7. Dingtian has not engaged with CISA; users should restrict HTTP (TCP/80) and the Dingtian protocol on UDP/60000–60001, isolate devices from the internet, and follow ICS defensive best practices.

⚠️ Dover Fueling Solutions disclosed critical vulnerabilities in its ProGauge MagLink LX4, LX4 Plus, and LX4 Ultimate tank monitors that may be exploited remotely. Identified issues include an integer overflow (CVE-2025-55068), a hard-coded cryptographic signing key (CVE-2025-54807), and non‑changeable weak default root credentials (CVE-2025-30519), with ratings up to CVSS v4 9.3. Affected firmware must be updated to 4.20.3 for LX4/LX4 Plus or 5.20.3 for LX4 Ultimate; operators are urged to minimize network exposure and place devices behind firewalls.

🔒 Cognex disclosed multiple high-severity vulnerabilities in In-Sight Explorer and firmware for the In-Sight 2000/7000/8000/9000 series (versions 5.x through 6.5.1). Identified issues include hard-coded credentials, cleartext management protocols (including telnet and a proprietary TCP 1069 service), weak default permissions, authentication bypass via capture-replay, and insufficient server-side enforcement. CISA assigns high CVSS scores (up to 8.8 v3.1 and 8.6 v4), warns of credential disclosure, configuration manipulation, and potential denial-of-service, and recommends migration to newer In-Sight Vision Suite systems and network isolation.

🔒 Plex reports an unauthorized third party accessed a limited subset of customer authentication data, including email addresses, usernames, and securely hashed passwords. The company says it quickly contained the incident and that no payment card information was stored on its servers. Because Plex did not disclose the hashing algorithm used, it recommends users reset their passwords, enable two‑factor authentication, and use the “Sign out connected devices after password change” option to terminate active sessions. Plex reminded customers it will never request passwords or card details by email.