Cyber Resilience

CWE · MITRE source

CWE-798Use of Hard-coded Credentials

Abstraction: Base · CVEs in our corpus: 1,728

The product contains hard-coded credentials, such as a password or cryptographic key.

There are two main variations:

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 9 mapping(s) from 4 framework(s): ATT&CK 5 (mostly) · CAPEC 2 (partial) · OWASP-Web 1 (full) · CSF 2.0 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A07:2025 Authentication Failures.

NIST 800-53 r5 controls that address this weakness (21)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SA-12Supply Chain ProtectionSASupplier evaluation and secure acquisition practices make it harder for hard-coded credentials to be introduced via procured products.
SA-13TrustworthinessSAReduces hard-coded credentials by requiring that trustworthiness evidence includes absence of embedded secrets that bypass normal authentication.
SA-21Developer ScreeningSAVetting reduces the chance a developer will deliberately insert hard-coded credentials as a backdoor or unauthorized access mechanism.
IA-1Policy and ProceduresIAPolicy and procedures prohibit hard-coded credentials in favor of managed authentication.
IA-13Identity Providers and Authorization ServersIAExternal identity providers eliminate the need for hard-coded credentials in applications.
IA-5Authenticator ManagementIAChanging default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
PM-16Threat Awareness ProgramPMIntelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
PM-3Information Security and Privacy ResourcesPMPlanned investment enables secure credential storage and management systems instead of hard-coded credentials.
PM-30Supply Chain Risk Management StrategyPMStrategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.
SR-1Policy and ProceduresSRPolicy and procedures require review of procured products for hard-coded credentials, reducing the chance they are introduced via the supply chain.
SR-6Supplier Assessments and ReviewsSRSupplier risk reviews identify and discourage hard-coded credentials in delivered products or services.
AC-9Previous Logon NotificationACEnables users to notice when hard-coded credentials have been exploited for unauthorized access.
AT-3Role-based TrainingATSecurity training explicitly warns against hard-coded credentials, lowering their use in systems.
PL-9Central ManagementPLCentral credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
PS-2Position Risk DesignationPSVetting individuals before they occupy roles that touch credentials or secrets reduces the likelihood of hard-coded credentials being introduced or abused.
Show 6 more broadly-applicable controls
SA-3System Development Life CycleSAIntegrating risk management and security responsibilities into the SDLC makes use of hard-coded credentials visible during design and code reviews, reducing their introduction.
SA-4Acquisition ProcessSARequiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.
SA-5System DocumentationSAKnown vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.
RA-10Threat HuntingRAAnomalous use of hard-coded credentials can be uncovered through behavioral and log analysis during hunts.
SC-38Operations SecuritySCMakes hard-coded credentials less likely by requiring OPSEC treatment of authentication material as protected information throughout development.
SI-5Security Alerts, Advisories, and DirectivesSIAdvisories about products containing hard-coded credentials allow organizations to apply mitigations or avoid affected components before exploitation.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2019-6693 KEV10.06.50.05662019-11-21
CVE-2020-8657 KEV10.09.80.91872020-02-06
CVE-2021-44207 KEV10.08.10.17582021-12-21
CVE-2022-28810 KEV10.06.80.70422022-04-18
CVE-2022-26138 KEV10.09.80.98172022-07-20
CVE-2023-6448 KEV10.09.80.02092023-12-05
CVE-2024-3272 KEV UPD10.09.80.98042024-04-04
CVE-2024-28987 KEV10.09.10.93162024-08-21
CVE-2024-20439 KEV10.09.80.92012024-09-04
CVE-2025-30406 KEV10.09.00.92732025-04-03
CVE-2025-14611 KEV10.09.80.50952025-12-12
CVE-2026-22769 KEV10.010.00.13132026-02-17
CVE-2016-15608.09.80.72292017-04-21
CVE-2017-141438.09.80.75502017-09-19
CVE-2018-91618.09.80.58532018-03-31
CVE-2019-16198.09.80.82822019-06-27
CVE-2019-19358.09.80.83392019-08-21
CVE-2019-159758.09.80.85652020-01-06
CVE-2019-159768.09.80.92842020-01-06
CVE-2014-96148.09.80.66642020-02-19
CVE-2020-44298.09.80.71362020-05-07
CVE-2020-131668.09.80.77632020-05-19
CVE-2020-118548.09.80.74232020-10-27
CVE-2021-227078.09.80.64612021-07-21
CVE-2022-11628.09.10.76182022-04-04