TID-328: Hardcoded Credentials
Threat Description
Hardcoded credentials typically cannot be changed by end-users and are often undocumented, leaving the end-user unaware of the risk. If a threat actor is able to discover the credentials for a device (or family of devices with the same password), they may be able to exploit multiple devices with no known device-level mitigation. Hardcoded credentials are often intended for vendor-specific diagnostic functions or to authenticate components designed to communicate together (e.g., a PLC and associated IED), but can be abused by threat actors when discovered. Often hardcoded credentials are added to support debugging during a device’s development and are mistakenly left in production devices.
Threat Maturity and Evidence
Observed Adversarial Technique
- ATT&CK Technique: Hardcoded Credentials (T0891) – Procedure Example: Incontroller (S1045)
“INCONTROLLER can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151”
Known Exploitable Weakness
- [KEV] Undocumented user account in Zyxel products – CVE-2020-29583
“Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account (“zyfwp”) with an unchangeable password.”
CWE
- CWE-798: Use of Hard-coded Credentials
“The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.”
CVE
Zyxel USG 4.60 Hardcoded Credential - CVE-2020-29583
“Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.”Eaton X303 PLC Hardcoded Credential - CVE-2024-57811
In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH. The root password is hardcoded in the firmware.”Smart PLC AC4xxS Firmware Hardcoded Credential - CVE-2024-28747
“An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges.”