CWE · MITRE source
CWE-798Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.
There are two main variations:
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 9 mapping(s) from 4 framework(s): ATT&CK 5 (mostly) · CAPEC 2 (partial) · OWASP-Web 1 (full) · CSF 2.0 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (21)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-12 | Supply Chain Protection | SA | Supplier evaluation and secure acquisition practices make it harder for hard-coded credentials to be introduced via procured products. |
SA-13 | Trustworthiness | SA | Reduces hard-coded credentials by requiring that trustworthiness evidence includes absence of embedded secrets that bypass normal authentication. |
SA-21 | Developer Screening | SA | Vetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism. |
IA-1 | Policy and Procedures | IA | Policy and procedures prohibit hard-coded credentials in favor of managed authentication. |
IA-13 | Identity Providers and Authorization Servers | IA | External identity providers eliminate the need for hard-coded credentials in applications. |
IA-5 | Authenticator Management | IA | Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials. |
PM-16 | Threat Awareness Program | PM | Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation. |
PM-3 | Information Security and Privacy Resources | PM | Planned investment enables secure credential storage and management systems instead of hard-coded credentials. |
PM-30 | Supply Chain Risk Management Strategy | PM | Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products. |
SR-1 | Policy and Procedures | SR | Policy and procedures require review of procured products for hard-coded credentials, reducing the chance they are introduced via the supply chain. |
SR-6 | Supplier Assessments and Reviews | SR | Supplier risk reviews identify and discourage hard-coded credentials in delivered products or services. |
AC-9 | Previous Logon Notification | AC | Enables users to notice when hard-coded credentials have been exploited for unauthorized access. |
AT-3 | Role-based Training | AT | Security training explicitly warns against hard-coded credentials, lowering their use in systems. |
PL-9 | Central Management | PL | Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code. |
PS-2 | Position Risk Designation | PS | Vetting individuals before they occupy roles that touch credentials or secrets reduces the likelihood of hard-coded credentials being introduced or abused. |
Show 6 more broadly-applicable controls
SA-3 | System Development Life Cycle | SA | Integrating risk management and security responsibilities into the SDLC makes use of hard-coded credentials visible during design and code reviews, reducing their introduction. |
SA-4 | Acquisition Process | SA | Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components. |
SA-5 | System Documentation | SA | Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments. |
RA-10 | Threat Hunting | RA | Anomalous use of hard-coded credentials can be uncovered through behavioral and log analysis during hunts. |
SC-38 | Operations Security | SC | Makes hard-coded credentials less likely by requiring OPSEC treatment of authentication material as protected information throughout development. |
SI-5 | Security Alerts, Advisories, and Directives | SI | Advisories about products containing hard-coded credentials allow organizations to apply mitigations or avoid affected components before exploitation. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2019-6693 KEV | 10.0 | 6.5 | 0.0566 | 2019-11-21 |
CVE-2020-8657 KEV | 10.0 | 9.8 | 0.9187 | 2020-02-06 |
CVE-2021-44207 KEV | 10.0 | 8.1 | 0.1758 | 2021-12-21 |
CVE-2022-28810 KEV | 10.0 | 6.8 | 0.7042 | 2022-04-18 |
CVE-2022-26138 KEV | 10.0 | 9.8 | 0.9817 | 2022-07-20 |
CVE-2023-6448 KEV | 10.0 | 9.8 | 0.0209 | 2023-12-05 |
CVE-2024-3272 KEV UPD | 10.0 | 9.8 | 0.9804 | 2024-04-04 |
CVE-2024-28987 KEV | 10.0 | 9.1 | 0.9316 | 2024-08-21 |
CVE-2024-20439 KEV | 10.0 | 9.8 | 0.9201 | 2024-09-04 |
CVE-2025-30406 KEV | 10.0 | 9.0 | 0.9273 | 2025-04-03 |
CVE-2025-14611 KEV | 10.0 | 9.8 | 0.5095 | 2025-12-12 |
CVE-2026-22769 KEV | 10.0 | 10.0 | 0.1313 | 2026-02-17 |
CVE-2016-1560 | 8.0 | 9.8 | 0.7229 | 2017-04-21 |
CVE-2017-14143 | 8.0 | 9.8 | 0.7550 | 2017-09-19 |
CVE-2018-9161 | 8.0 | 9.8 | 0.5853 | 2018-03-31 |
CVE-2019-1619 | 8.0 | 9.8 | 0.8282 | 2019-06-27 |
CVE-2019-1935 | 8.0 | 9.8 | 0.8339 | 2019-08-21 |
CVE-2019-15975 | 8.0 | 9.8 | 0.8565 | 2020-01-06 |
CVE-2019-15976 | 8.0 | 9.8 | 0.9284 | 2020-01-06 |
CVE-2014-9614 | 8.0 | 9.8 | 0.6664 | 2020-02-19 |
CVE-2020-4429 | 8.0 | 9.8 | 0.7136 | 2020-05-07 |
CVE-2020-13166 | 8.0 | 9.8 | 0.7763 | 2020-05-19 |
CVE-2020-11854 | 8.0 | 9.8 | 0.7423 | 2020-10-27 |
CVE-2021-22707 | 8.0 | 9.8 | 0.6461 | 2021-07-21 |
CVE-2022-1162 | 8.0 | 9.1 | 0.7618 | 2022-04-04 |