All news with #hardcoded secrets tag

Hard-coded Gladinet Keys Enable Active Exploitation

🔐 Huntress warns that hard-coded cryptographic keys in Gladinet CentreStack and Triofox allow attackers to decrypt or forge access tickets, exposing sensitive files such as web.config. The flaw stems from a function that returns the same 100-byte strings to derive persistent keys, enabling indefinite reuse of crafted URLs to download server configuration. Organisations should update to version 16.12.10420.56791 and rotate machine keys immediately.

Over 10,000 Docker Hub Images Expose Live Secrets Globally

🔒 A November scan by threat intelligence firm Flare found 10,456 Docker Hub images exposing credentials, including live API tokens for AI models and production systems. The leaks span about 101 organizations — from SMBs to a Fortune 500 company and a major national bank — and often stem from mistakes like committed .env files, hardcoded tokens, and Docker manifests. Flare urges immediate revocation of exposed keys, centralized secrets management, and active SDLC scanning to prevent prolonged abuse.

Exposed GitHub PATs Enable Access to Cloud Secrets

🔒 Recent research from the Wiz Customer Incident Response Team shows attackers are using exposed GitHub Personal Access Tokens (PATs) to retrieve GitHub Action Secrets and pivot into cloud environments. A read-level PAT can leverage GitHub’s API code search to locate secret references like "${{ secrets.SECRET_NAME }}" — and because those search API calls are not logged, discovery is stealthy. Once obtained, cloud provider credentials let attackers spin up resources, exfiltrate data, install malware, or persist while often evading detection. Organizations should treat PATs as privileged credentials: enforce expiration and rotation, remove cloud secrets from workflows, apply least privilege, and improve monitoring and developer training.

Sunbird DCIM dcTrack and Power IQ: Critical Flaws (2025)

🔒 CISA warns of two critical vulnerabilities in Sunbird DCIM dcTrack and Power IQ appliances that could enable unauthorized access or credential theft. One is an authentication bypass via alternate remote-access channels (CVE-2025-66238); the other involves hard‑coded/default credentials (CVE-2025-66237) with a CVSS v4 high score of 8.4. Sunbird has released fixes (dcTrack 9.2.3, Power IQ 9.2.1); until systems are updated, CISA recommends restricting SSH and nonessential ports, changing deployment passwords, isolating control networks behind firewalls, and using secure VPNs for remote access.

Rigged DeckMate 2 Shufflers Used to Cheat High-Stakes Poker

🃏 Security researchers demonstrated at Black Hat 2023 that the popular DeckMate 2 automated shuffler can be compromised to reveal card order, exploiting an exposed USB port, hard-coded credentials, and an internal camera. The device’s firmware hash check was bypassed in the proof-of-concept, allowing attackers to transmit card sequences to accomplices. Two years later, DOJ indictments show criminals used pre-hacked units, invisible card markings, and remote signaling to defraud players of millions.

Mirion Medical EC2 NMIS BioDose: High-Risk Vulnerabilities

⚠️ Mirion Medical's EC2 Software NMIS BioDose versions prior to 23.0 contain multiple high-severity vulnerabilities (CVSS v4: 8.7) that are remotely exploitable and can enable code execution, data disclosure, and unauthorized access. The issues include incorrect permission assignment, client-side authentication, and hard-coded credentials affecting installed executables, the embedded SQL Server, and database accounts. Mirion recommends updating to v23.0 or later; CISA advises isolating control networks, minimizing exposure, and using secure remote access while performing impact analysis.

Researchers Expose Widespread Dashcam Botnet Risk to Privacy

🔒 Singaporean researchers demonstrated how inexpensive offline dashcams can be weaponized into a self‑propagating surveillance network. They identified common weaknesses — default or hardcoded Wi‑Fi credentials, exposed services (FTP/RTSP), MAC‑spoofing and replay attacks — that allow attackers to download video, audio, timestamps and GPS metadata. The team showed mass compromise is feasible and offered mitigation steps for vendors and drivers.

Talos Discloses Multiple Dell, Lasso, GL.iNet Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities across Dell ControlVault, the Entr'ouvert Lasso SAML library, and the GL.iNet Slate AX travel router. Issues range from a hard-coded password and privilege escalation in ControlVault to memory corruption and buffer overflows that can enable arbitrary code execution, a type confusion bug and DoS in Lasso, and an OTA firmware downgrade in GL.iNet. Vendors have issued patches under Cisco’s disclosure policy and Snort rule updates are available to detect exploitation. Administrators should apply vendor updates, verify OTA integrity mechanisms, and deploy IDS signatures promptly.

Developers Exposed Large Cache of Credentials Online

🔒 Security researchers at watchTowr discovered that two popular code utility sites — JSON Formatter and Code Beautify — inadvertently exposed thousands of developer submissions containing sensitive secrets and credentials. By querying a public API and the sites’ “Recent Links” listings, the team extracted over 80,000 submissions spanning years, including API keys, private keys, database and cloud credentials, JWTs, and PII. The exposure remained until the sites disabled the save feature; watchTowr also confirmed active scraping by third parties and reported limited response from affected organizations.

Years of JSONFormatter and CodeBeautify Credentials Leak

🔒 New research from watchTowr Labs found over 80,000 files saved to online code-formatting tools, exposing thousands of passwords, API keys, repository tokens and other sensitive credentials across government, telecoms, finance, healthcare and critical infrastructure. The datasets comprise five years of JSONFormatter content and one year of CodeBeautify content (about 5GB), and both services used predictable, shareable URLs and a Recent Links page that made mass crawling trivial. Researchers uploaded decoy AWS keys that were abused within 48 hours, and both sites have temporarily disabled save functionality while implementing enhanced content-prevention measures.

Enterprise Password and Secrets Management — Passwork 7

🔐 Passwork 7 consolidates enterprise password and secrets management into a single, self-hosted platform supporting both human and machine credentials. The release improves credential organization with new vault types, expands RBAC and group-based permissions, and enhances audit trails and notifications. It also provides a REST API, Python connector, CLI, and Docker image for automation, plus zero-knowledge encryption and SSO/LDAP integration to help meet compliance needs.

Android photo frames download malware at boot, supply risk

⚠️ Quokka's assessment of the Uhale Android platform used in many consumer digital picture frames found devices that download and execute malware on boot. The tested units update to Uhale app 4.2.0, install a JAR/DEX payload from China-based servers, and persistently load it at every reboot. Devices were rooted, shipped with SELinux disabled and signed with AOSP test-keys, increasing exposure. Quokka disclosed 17 vulnerabilities (11 with CVEs) including remote code execution, command injection, an unauthenticated file server and insecure WebViews; researchers linked artifacts to Vo1d and Mezmess while the vendor did not respond to notifications.

Brightpick Mission Control and Internal Logic Control Flaws

⚠️ CISA published an advisory on November 13, 2025, warning that Brightpick AI devices — Mission Control and Internal Logic Control — contain multiple high-severity weaknesses that are remotely exploitable. Tracked as CVE-2025-64307, CVE-2025-64308, and CVE-2025-64309, the issues include missing authentication, hardcoded credentials in client-side JavaScript, and an unauthenticated WebSocket endpoint. Calculated scores reach up to CVSS v4 8.7, and CISA advises isolating affected systems, minimizing network exposure, and using secure remote access while conducting impact assessments.

AI startups expose API keys on GitHub, risking models

🔐 New research by cloud security firm Wiz found verified secret leaks in 65% of the Forbes AI 50, with API keys and access tokens exposed on GitHub. Some credentials were tied to vendors such as Hugging Face, Weights & Biases, and LangChain, potentially granting access to private models, training data, and internal details. Nearly half of Wiz’s disclosure attempts failed or received no response. The findings highlight urgent gaps in secret management and DevSecOps practices.

65% of Top Private AI Firms Exposed Secrets on GitHub

🔒 A Wiz analysis of 50 private companies from the Forbes AI 50 found that 65% had exposed verified secrets such as API keys, tokens and credentials across GitHub and related repositories. Researchers employed a Depth, Perimeter and Coverage approach to examine commit histories, deleted forks, gists and contributors' personal repos, revealing secrets standard scanners often miss. Affected firms are collectively valued at over $400bn.

Susvsex Ransomware Test Published on VS Code Marketplace

🔒 A malicious VS Code extension named susvsex, published by 'suspublisher18', was listed on Microsoft's official marketplace and included basic ransomware features such as AES-256-CBC encryption and exfiltration to a hardcoded C2. Secure Annex researcher John Tuckner identified AI-generated artifacts in the code and reported it, but Microsoft did not remove the extension. The extension also polled a private GitHub repo for commands using a hardcoded PAT.

ABB FLXeon Devices: Multiple Remote-Access Vulnerabilities

⚠ ABB FLXeon devices are affected by multiple high-severity vulnerabilities, including hard-coded credentials, MD5 password hashing without proper salt, and improper input validation that can enable remote code execution. Combined CVSS v4 scores reach up to 8.7 and successful exploitation could allow remote control, arbitrary code execution, or device crashes. ABB and CISA advise disconnecting Internet-exposed units, applying the latest firmware, enforcing physical access controls, and using secure remote-access methods such as properly configured VPNs.

Louvre Heist Exposes Longstanding Security Failures

🏛 Thieves brazenly used a furniture elevator to access a second‑floor window and stole historic jewels worth about €88 million from display cases at the Louvre in October 2025. French authorities say the alarms on the affected window and cases functioned as intended, but the theft prompted a comprehensive security review and urgent recommendations for new governance, extra perimeter cameras, and updated protocols. Confidential audits cited by Libération document chronic IT weaknesses since 2014 — systems running Windows 2000 and weak password hygiene, including a video server reportedly protected by the password "LOUVRE".

Louvre's Outdated Windows Systems Highlighted After Burglary

🏛 The Louvre has struggled for more than a decade with outdated software and unsupported Windows systems that control critical security infrastructure, French reports say. Audits in 2014 and 2017 found workstations running Windows 2000 and Windows XP, along with a video server still on Windows Server 2003 and weak, hard-coded passwords on surveillance applications. Procurement records also list multiple Thales systems as "software that cannot be updated." Authorities ordered governance and security reforms after a recent jewelry theft, though there is no indication the IT issues directly enabled that burglary.

SesameOp Backdoor Abuses OpenAI Assistants API for C2

🛡️ Researchers at Microsoft disclosed a previously undocumented backdoor, dubbed SesameOp, that abuses the OpenAI Assistants API to relay commands and exfiltrate results. The attack chain uses .NET AppDomainManager injection to load obfuscated libraries (loader "Netapi64.dll") into developer tools and relies on a hard-coded API key to pull payloads from assistant descriptions. Because traffic goes to api.openai.com, the campaign evaded traditional C2 detection. Microsoft Defender detections and account key revocation were used to disrupt the operation.