Threat-page

TID-328: Hardcoded Credentials

Threat Description

Hardcoded credentials typically cannot be changed by end-users and are often undocumented, leaving the end-user unaware of the risk. If a threat actor is able to discover the credentials for a device (or family of devices with the same password), they may be able to exploit multiple devices with no known device-level mitigation. Hardcoded credentials are often intended for vendor-specific diagnostic functions or to authenticate components designed to communicate together (e.g., a PLC and associated IED), but can be abused by threat actors when discovered. Often hardcoded credentials are added to support debugging during a device’s development and are mistakenly left in production devices.

Threat Maturity and Evidence

Observed Adversarial Technique

Known Exploitable Weakness

CWE

  • CWE-798: Use of Hard-coded Credentials
    “The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.”

CVE

  • Zyxel USG 4.60 Hardcoded Credential - CVE-2020-29583
    “Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.”

  • Eaton X303 PLC Hardcoded Credential - CVE-2024-57811
    In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH. The root password is hardcoded in the firmware.”

  • Smart PLC AC4xxS Firmware Hardcoded Credential - CVE-2024-28747
    “An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges.”

Device Properties: