{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/hardcoded-credentials/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6574"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6574","hardcoded-credentials","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eosuuu LightPicture, up to version 1.2.2, is vulnerable to a hardcoded credentials exposure vulnerability (CVE-2026-6574). This flaw resides within the API Upload Endpoint and is triggered when processing the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file. An attacker can manipulate the \u003ccode\u003ekey\u003c/code\u003e argument to exploit this vulnerability. The vendor has been notified about the vulnerability but has not responded. Public exploits are available, increasing the risk of exploitation. This vulnerability allows an attacker to potentially gain unauthorized access and control over the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of osuuu LightPicture running version 1.2.2 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the API Upload Endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a modified \u003ccode\u003ekey\u003c/code\u003e argument within the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file path.\u003c/li\u003e\n\u003cli\u003eThe application processes the crafted request without proper sanitization.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated \u003ccode\u003ekey\u003c/code\u003e argument, the application exposes hardcoded credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exposed hardcoded credentials from the server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the acquired credentials to authenticate and gain unauthorized access to the application.\u003c/li\u003e\n\u003cli\u003eWith unauthorized access, the attacker can perform malicious activities such as data theft, modification, or deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6574 can lead to complete compromise of the osuuu LightPicture application and potentially the underlying server. The vulnerability exposes hardcoded credentials, enabling attackers to bypass authentication and gain administrative privileges. The impact includes unauthorized access to sensitive data, modification of application settings, and potential disruption of service. The vulnerability affects all installations of osuuu LightPicture up to version 1.2.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious LP.SQL Access\u003c/code\u003e to identify attempts to access the vulnerable file (log source: webserver).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003ekey\u003c/code\u003e argument within the API Upload Endpoint to prevent manipulation (reference CVE-2026-6574).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file with unusual parameters (log source: webserver).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not possible, implement a web application firewall (WAF) rule to block requests containing malicious patterns in the \u003ccode\u003ekey\u003c/code\u003e argument (log source: firewall).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T14:16:11Z","date_published":"2026-04-19T14:16:11Z","id":"/briefs/2026-04-lightpicture-hardcoded-creds/","summary":"CVE-2026-6574 allows remote attackers to manipulate the 'key' argument in the /public/install/lp.sql file via the API Upload Endpoint in osuuu LightPicture \u003c= 1.2.2, leading to hardcoded credentials exposure.","title":"osuuu LightPicture Hardcoded Credentials Vulnerability (CVE-2026-6574)","url":"https://feed.craftedsignal.io/briefs/2026-04-lightpicture-hardcoded-creds/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2025-10681"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2025-10681","hardcoded-credentials","ics-cert","ot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-10681 exposes a critical vulnerability stemming from the presence of hardcoded storage credentials within a mobile application and its corresponding device firmware. These credentials, unfortunately, lack sufficient restrictions on end-user permissions and are not configured to expire after a reasonable period. The affected systems are not explicitly mentioned, but the advisory was published by ICS-CERT implying the vulnerability exists within an Industrial Control System or similar operational technology environment. This flaw allows a malicious actor to bypass standard authentication mechanisms and directly access sensitive data stored within production storage containers, potentially causing significant data breaches and operational disruption. Defenders should prioritize identifying devices using default credentials, especially in OT environments where a compromise could have physical consequences.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the mobile application or device firmware through reverse engineering or by acquiring a compromised device.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the hardcoded storage credentials from the mobile app or firmware.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the extracted credentials to authenticate directly with the production storage container.\u003c/li\u003e\n\u003cli\u003eDue to the lack of adequate permission restrictions, the attacker gains read/write access to sensitive data within the storage container.\u003c/li\u003e\n\u003cli\u003eAttacker accesses sensitive data like configurations, process data, or customer data.\u003c/li\u003e\n\u003cli\u003eAttacker modifies sensitive data like configurations causing a denial of service, or operational disruption.\u003c/li\u003e\n\u003cli\u003eAttacker gains complete control over the storage container and potentially linked resources.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or uses it to further compromise the ICS/OT environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-10681 could lead to unauthorized access to critical production data, system configurations, and potentially other sensitive information. Depending on the scope of the storage container\u0026rsquo;s access, attackers could disrupt industrial processes, steal intellectual property, or hold data for ransom. Since this vulnerability relates to ICS/OT environments, compromise of production data could lead to equipment damage, environmental hazards, or safety issues.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the detection rule \u003ccode\u003eDetect Hardcoded Credentials in Mobile App/Firmware Unpacking\u003c/code\u003e to detect attempts to unpack or analyze application binaries or firmware images that may contain hardcoded credentials (logsource: file_event, process_creation).\u003c/li\u003e\n\u003cli\u003eExamine network traffic for authentication attempts to storage resources using unusual user agents or originating from unusual IP addresses that might indicate credential compromise, using the detection rule \u003ccode\u003eDetect Unusual Authentication to Storage Resources\u003c/code\u003e. (logsource: network_connection)\u003c/li\u003e\n\u003cli\u003eReview and update mobile application and device firmware development practices to eliminate the use of hardcoded credentials, referencing CWE-798 (Use of Hard-coded Credentials).\u003c/li\u003e\n\u003cli\u003eMonitor file access and modifications to production storage containers, looking for unusual activity that might indicate unauthorized access following exploitation of CVE-2025-10681 (logsource: file_event).\u003c/li\u003e\n\u003cli\u003eUse vulnerability scanning tools to identify devices and applications vulnerable to CVE-2025-10681.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T21:17:08Z","date_published":"2026-04-03T21:17:08Z","id":"/briefs/2026-04-hardcoded-credentials/","summary":"CVE-2025-10681 describes a vulnerability where hardcoded storage credentials in a mobile app and device firmware, with inadequate permission limits and lack of expiration, could lead to unauthorized access to production storage containers.","title":"Hardcoded Storage Credentials in Mobile App and Device Firmware (CVE-2025-10681)","url":"https://feed.craftedsignal.io/briefs/2026-04-hardcoded-credentials/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["vulnerability","hardcoded-credentials","goharbor"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGoHarbor Harbor, a popular open-source cloud native registry, is susceptible to a critical vulnerability (CVE-2026-4404) in versions 2.15.0 and below. This flaw stems from the use of hardcoded credentials, specifically a default password, which, if unchanged, allows unauthorized access to the web UI. An attacker exploiting this vulnerability can bypass authentication and potentially gain full control over the Harbor instance. This poses a significant risk to organizations using affected Harbor versions, as it can lead to data breaches, container image tampering, and other malicious activities. The vulnerability was reported in March 2026, and defenders should prioritize upgrading or mitigating affected instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a GoHarbor Harbor instance running version 2.15.0 or below.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the web UI login page of the Harbor instance.\u003c/li\u003e\n\u003cli\u003eAttacker enters the default username (\u0026ldquo;admin\u0026rdquo;) and password (\u0026ldquo;Harbor12345\u0026rdquo;), as documented in the official GoHarbor documentation.\u003c/li\u003e\n\u003cli\u003eThe Harbor instance authenticates the attacker due to the use of default credentials.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to the Harbor web UI with administrator privileges.\u003c/li\u003e\n\u003cli\u003eAttacker can now manage container images, repositories, and users within the Harbor instance.\u003c/li\u003e\n\u003cli\u003eAttacker may pull sensitive images, inject malicious code into existing images, or create new malicious images.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the now compromised Harbor instance to distribute malicious container images throughout the organization\u0026rsquo;s infrastructure, leading to widespread compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over a GoHarbor Harbor instance. This can lead to the compromise of container images, potentially injecting malware into the software supply chain. The impact could range from data exfiltration and service disruption to full system compromise, depending on the privileges associated with the Harbor instance. Given the widespread use of GoHarbor in cloud-native environments, this vulnerability presents a significant risk to numerous organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade GoHarbor Harbor instances to a version greater than 2.15.0 to remediate CVE-2026-4404.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, change the default \u0026ldquo;admin\u0026rdquo; password (\u0026ldquo;Harbor12345\u0026rdquo;) to a strong, unique password as outlined in the GoHarbor documentation.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect login attempts using the default credentials against the Harbor web UI based on webserver logs.\u003c/li\u003e\n\u003cli\u003eRegularly review and update credentials for all services and applications to prevent the exploitation of default or hardcoded passwords.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-goharbor-hardcoded-creds/","summary":"GoHarbor Harbor version 2.15.0 and below is vulnerable to the use of hard-coded credentials, allowing an attacker to use the default password and gain unauthorized access to the web UI.","title":"GoHarbor Harbor v2.15.0 and Below Vulnerable to Hardcoded Credentials","url":"https://feed.craftedsignal.io/briefs/2026-03-goharbor-hardcoded-creds/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7579"}],"_cs_exploited":false,"_cs_products":["AstrBot (\u003c= 4.16.0)"],"_cs_severities":["critical"],"_cs_tags":["cve","hardcoded-credentials","web-application"],"_cs_type":"advisory","_cs_vendors":["AstrBotDevs"],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-7579, has been identified in AstrBotDevs AstrBot, affecting versions up to 4.16.0. The vulnerability lies within the Dashboard component, specifically in the \u003ccode\u003eastrbot/dashboard/routes/auth.py\u003c/code\u003e file. An unspecified processing flaw allows attackers to retrieve or leverage hardcoded credentials. The vulnerability can be exploited remotely and has been publicly disclosed, increasing the risk of exploitation. The vendor was notified, but did not respond to the disclosure. Successful exploitation could lead to unauthorized access to sensitive information or control over the AstrBot application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable AstrBot instance running a version up to 4.16.0.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted request to the \u003ccode\u003eastrbot/dashboard/routes/auth.py\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code in \u003ccode\u003eauth.py\u003c/code\u003e processes the request improperly, exposing hardcoded credentials.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the hardcoded credentials from the response.\u003c/li\u003e\n\u003cli\u003eAttacker uses the hardcoded credentials to authenticate to the AstrBot dashboard.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to administrative functions within the AstrBot application.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised access to modify bot configurations or access user data.\u003c/li\u003e\n\u003cli\u003eAttacker leverages compromised bot to conduct malicious activity such as spam or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7579 allows a remote attacker to obtain hardcoded credentials, leading to complete control over the AstrBot application. This can result in unauthorized access to sensitive data, modification of bot configurations, and potential misuse of the bot for malicious purposes. The lack of vendor response exacerbates the risk, leaving users vulnerable to potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AstrBot to a patched version beyond 4.16.0 if a patch becomes available from AstrBotDevs to remediate CVE-2026-7579.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003eastrbot/dashboard/routes/auth.py\u003c/code\u003e endpoint as described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting access to the vulnerable \u003ccode\u003eauth.py\u003c/code\u003e route to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and authorization mechanisms to protect the AstrBot dashboard, mitigating the impact of hardcoded credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-astrbot-hardcoded-credentials/","summary":"CVE-2026-7579 describes a vulnerability in AstrBotDevs AstrBot up to version 4.16.0 where improper handling of the `auth.py` file in the dashboard component leads to hardcoded credentials being exposed, enabling remote exploitation.","title":"AstrBotDevs AstrBot Vulnerability Leads to Hardcoded Credentials (CVE-2026-7579)","url":"https://feed.craftedsignal.io/briefs/2024-01-astrbot-hardcoded-credentials/"}],"language":"en","title":"CraftedSignal Threat Feed — Hardcoded-Credentials","version":"https://jsonfeed.org/version/1.1"}