TID-328: Hardcoded Credentials
Threat Description
Hardcoded credentials typically cannot be changed by end-users and are often undocumented, leaving the end-user unaware of the risk. If a threat actor is able to discover the credentials for a device (or family of devices with the same password), they may be able to exploit multiple devices with no known device-level mitigation. Hardcoded credentials are often intended for vendor-specific diagnostic functions or to authenticate components designed to communicate together (e.g., a PLC and associated IED), but can be abused by threat actors when discovered.
Threat Maturity and Evidence
Observed Adversary Behavior
ATT&CK Technique: Hardcoded Credentials (T0891)
Procedure Example: Incontroller (S1045)
“INCONTROLLER can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151”
Known Exploitable Weakness
Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability
“Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account (“zyfwp”) with an unchangeable password.”
CWE
CWE-798: Use of Hard-coded Credentials
“The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.”