Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.
CWE-798 Base Draft
Use of Hard-coded Credentials
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
Definition
What is CWE-798?
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
This flaw typically manifests in two primary scenarios. The first, often called 'inbound authentication,' involves the software checking user logins against a fixed, default set of credentials—like a universal admin account with a simple, embedded password that's identical across every installation. This password usually cannot be changed or disabled through normal administrative controls, requiring a code patch instead, and it can be extremely difficult for system owners to even detect its presence.
The second scenario, 'outbound authentication,' happens when an application (like a front-end service) needs to connect to another system (like a back-end database) and has the connection credentials permanently written into its code. Developers might hard-code these backend passwords for convenience, but this makes them easily discoverable by anyone who can access the application's code or binaries, exposing the connected system to unauthorized access.
Real-world impact
Real-world CVEs caused by CWE-798
-
Condition Monitor firmware has a maintenance interface with hard-coded credentials
-
Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation
-
Distributed Control System (DCS) has hard-coded passwords for local shell access
-
Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials
-
Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration
-
Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments
-
Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288]
-
Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
How attackers exploit it
Step-by-step attacker path
- 1
The following code uses a hard-coded password to connect to a database:
- 2
This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above:
- 3
The following code is an example of an internal hard-coded password in the back-end:
- 4
Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."
- 5
The following code examples attempt to verify a password using a hard-coded cryptographic key.
Vulnerable code example
Vulnerable Java
The following code uses a hard-coded password to connect to a database:
...
DriverManager.getConnection(url, "scott", "tiger");
... Attacker payload
This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above:
javap -c ConnMngr.class
22: ldc #36; //String jdbc:mysql://ixne.com/rxsql
24: ldc #38; //String scott
26: ldc #17; //String tiger Secure code example
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-798
- Architecture and Design For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some protection.
- Architecture and Design For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
- Architecture and Design If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
- Architecture and Design For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash. Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
- Architecture and Design For front-end to back-end connections: Three solutions are possible, although none are complete. - The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. - Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. - Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
Detection signals
How to detect CWE-798
Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.
This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.
For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
Plexicus auto-detects CWE-798 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-798?
How serious is CWE-798?
What languages or platforms are affected by CWE-798?
How can I prevent CWE-798?
How does Plexicus detect and fix CWE-798?
Where can I learn more about CWE-798?
Frequently asked questions
What is CWE-798?
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
How serious is CWE-798?
MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.
What languages or platforms are affected by CWE-798?
MITRE lists the following affected platforms: Mobile, ICS/OT.
How can I prevent CWE-798?
For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some…
How does Plexicus detect and fix CWE-798?
Plexicus's SAST engine matches the data-flow signature for CWE-798 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-798?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/798.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-798
CWE-1391 Parent
Use of Weak Credentials
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily…
CWE-1392 Sibling
Use of Default Credentials
This vulnerability occurs when a system, device, or application relies on pre-configured, publicly known credentials like passwords or…
CWE-521 Sibling
Weak Password Requirements
This vulnerability occurs when an application fails to enforce strong password policies, making user accounts easier to compromise through…
CWE-257 Peer
Storing Passwords in a Recoverable Format
This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their…
CWE-259 Child
Use of Hard-coded Password
This vulnerability occurs when an application embeds a password directly into its source code or configuration files. This hard-coded…
CWE-321 Child
Use of Hard-coded Cryptographic Key
This vulnerability occurs when an application embeds a fixed, unchangeable cryptographic key directly within its source code or…
Resources
Further reading
- MITRE — official CWE-798 https://cwe.mitre.org/data/definitions/798.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Top 25 Series - Rank 11 - Hardcoded Credentials https://www.sans.org/blog/top-25-series-rank-11-hardcoded-credentials/
- Mobile App Top 10 List https://www.veracode.com/blog/2010/12/mobile-app-top-10-list
- Automated Source Code Security Measure (ASCSM) http://www.omg.org/spec/ASCSM/1.0/
- OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management https://www.forescout.com/resources/ot-icefall-report/
- Ethical hacking of a Smart Automatic Feed Dispenser http://kth.diva-portal.org/smash/get/diva2:1561552/FULLTEXT01.pdf
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.