CWE · MITRE source
CWE-798Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.
There are two main variations:
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (21)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-12 | Supply Chain Protection | SA | Supplier evaluation and secure acquisition practices make it harder for hard-coded credentials to be introduced via procured products. |
SA-13 | Trustworthiness | SA | Reduces hard-coded credentials by requiring that trustworthiness evidence includes absence of embedded secrets that bypass normal authentication. |
SA-21 | Developer Screening | SA | Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism. |
IA-1 | Policy and Procedures | IA | Policy and procedures prohibit hard-coded credentials in favor of managed authentication. |
IA-13 | Identity Providers and Authorization Servers | IA | External identity providers eliminate the need for hard-coded credentials in applications. |
IA-5 | Authenticator Management | IA | Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials. |
PM-16 | Threat Awareness Program | PM | Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation. |
PM-3 | Information Security and Privacy Resources | PM | Planned investment enables secure credential storage and management systems instead of hard-coded credentials. |
PM-30 | Supply Chain Risk Management Strategy | PM | Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products. |
SR-1 | Policy and Procedures | SR | Policy and procedures require review of procured products for hard-coded credentials, reducing the chance they are introduced via the supply chain. |
SR-6 | Supplier Assessments and Reviews | SR | Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services. |
AC-9 | Previous Logon Notification | AC | Enables users to notice when hard-coded credentials have been exploited for unauthorized access. |
AT-3 | Role-based Training | AT | Security training explicitly warns against hard-coded credentials, lowering their use in systems. |
PL-9 | Central Management | PL | Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code. |
PS-2 | Position Risk Designation | PS | Vetting individuals before they occupy roles that touch credentials or secrets reduces the likelihood of hard-coded credentials being introduced or abused. |
Show 6 more broadly-applicable controls
SA-3 | System Development Life Cycle | SA | Integrating risk management and security responsibilities into the SDLC makes use of hard-coded credentials visible during design and code reviews, reducing their introduction. |
SA-4 | Acquisition Process | SA | Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components. |
SA-5 | System Documentation | SA | Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments. |
RA-10 | Threat Hunting | RA | Anomalous use of hard-coded credentials can be uncovered through behavioral and log analysis during hunts. |
SC-38 | Operations Security | SC | Makes hard-coded credentials less likely by requiring OPSEC treatment of authentication material as protected information throughout development. |
SI-5 | Security Alerts, Advisories, and Directives | SI | Advisories about products containing hard-coded credentials allow organizations to apply mitigations or avoid affected components before exploitation. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-26138 KEV | 9.6 | 9.8 | 0.9432 | 2022-07-20 |
CVE-2024-3272 KEV | 9.6 | 9.8 | 0.9411 | 2024-04-04 |
CVE-2024-28987 KEV | 9.5 | 9.1 | 0.9429 | 2024-08-21 |
CVE-2020-8657 KEV | 9.3 | 9.8 | 0.8886 | 2020-02-06 |
CVE-2024-20439 KEV | 9.1 | 9.8 | 0.8631 | 2024-09-04 |
CVE-2022-28810 KEV | 8.8 | 6.8 | 0.9071 | 2022-04-18 |
CVE-2025-30406 KEV | 8.8 | 9.0 | 0.8340 | 2025-04-03 |
CVE-2019-6693 KEV | 7.6 | 6.5 | 0.7222 | 2019-11-21 |
CVE-2020-11854 | 7.5 | 9.8 | 0.9240 | 2020-10-27 |
CVE-2021-22707 | 7.5 | 9.8 | 0.9157 | 2021-07-21 |
CVE-2023-22463 | 7.5 | 9.8 | 0.9152 | 2023-01-04 |
CVE-2023-5074 | 7.5 | 9.8 | 0.9209 | 2023-09-20 |
CVE-2024-7332 | 7.5 | 9.8 | 0.9211 | 2024-08-01 |
CVE-2025-14611 KEV | 7.5 | 9.8 | 0.5835 | 2025-12-12 |
CVE-2020-4429 | 7.4 | 9.8 | 0.9070 | 2020-05-07 |
CVE-2024-3408 | 7.4 | 9.8 | 0.9054 | 2024-06-06 |
CVE-2019-1935 | 7.3 | 9.8 | 0.8907 | 2019-08-21 |
CVE-2020-26879 | 7.3 | 9.8 | 0.8890 | 2020-10-26 |
CVE-2024-22853 | 7.2 | 9.8 | 0.8692 | 2024-02-06 |
CVE-2019-16313 | 7.1 | 7.5 | 0.9400 | 2019-09-14 |
CVE-2019-15975 | 7.1 | 9.8 | 0.8514 | 2020-01-06 |
CVE-2022-1162 | 7.1 | 9.1 | 0.8761 | 2022-04-04 |
CVE-2022-35413 | 7.1 | 9.8 | 0.8597 | 2022-09-13 |
CVE-2016-1560 | 6.9 | 9.8 | 0.8167 | 2017-04-21 |
CVE-2020-35338 | 6.9 | 9.8 | 0.8195 | 2020-12-14 |