Hardcoded Passwords: Detecting embedded passwords begins with understanding. Why are credentials hardcoded in code, firmware or configurations, how do weak processes lead to credential leaks – and what damage follows? This article provides a fact-based assessment with verified incidents from 2024/2025 and leads to methods of secrets discovery. Our focus: hardcoded passwords – in the context of privileged access management (PAM), vulnerability management and cyber security.
📑 Table of contents
Introduction and objective · The challenge: hardcoded passwords · Sources · Conclusion and action areas
Introduction and objective: Why hardcoded passwords must be a priority now
Hardcoded passwords are a long-standing yet pervasive risk – across firmware, cloud portals, SaaS integrations and internal applications. In Swiss enterprises with hybrid environments (on-prem, cloud, edge), time pressure in development and operations often leads to pragmatic but insecure solutions: secrets in code repositories, default passwords in appliances, shared admin accounts without rotation. This article focuses on understanding the problem: How do hardcoded passwords arise, which account and secret types are affected, and what consequences are evident from real incidents in 2024/2025?
Find hardcoded secrets – before attackers do.
Understanding the challenge: hardcoded passwords and weak credential processes
Hardcoded passwords typically arise in three situations: First, in firmware and appliances, when vendors or integrators embed backdoor access or default logins. Second, in software projects, when developers store API keys or database passwords in code or container images. Third, in support and helpdesk processes, when identity verification and privileged access are insufficiently governed. The result is easily exploitable paths to critical systems – often without logging, rotation or multi-factor protection.
Real incidents underscore the relevance
Verified cases from 2024/2025 demonstrate the operational sharpness of the topic – from embedded credentials in network devices to exposure of encrypted secrets in cloud portals:
Aruba Instant On Access Points – CVE-2025-37103 (2025): Hewlett Packard warned about hardcoded credentials in Aruba Instant On access points. The vulnerability (CVSS 9.8) allows authentication bypass and direct access to the admin web interface – with potential manipulation of network configurations and establishment of persistent backdoors. For SMEs relying on these plug-and-play devices, immediate action is required (firmware update, segmentation, access protection). Source: CISO Series Week in Review.
Cognizant–Clorox (2023/2025): The threat actor Scattered Spider obtained passwords and MFA resets at service provider Cognizant through simple social engineering. According to reports, a password was handed out without reliable identity verification – a fundamental breach in credential governance and a classic PAM failure. The result is substantial damage and a 380-million-dollar lawsuit (2025). Source: CISO Series.
SonicWall – MySonicWall portal (September 2025): A breach of the cloud portal exposed AES‑256‑encrypted credentials and configuration data, including VPN keys, API tokens and TOTP codes for backup customers. Even though the credentials were encrypted, the exposure forced a broad rotation – from passwords and shared secrets to API keys. Source: Bright Defense – Recent Data Breaches.
Louvre – CCTV infrastructure (October 2025): Investigations following a theft revealed outdated software, weak segmentation – and hardcoded logins such as “LOUVRE” and “THALES”. Such static, easily guessable credentials in security-critical systems compromise forensic capabilities and the level of physical security. Source: Bright Defense.
These cases show: hardcoded passwords are not just a code smell but a supply chain and operations problem. They complicate incident response, foster lateral movement and undermine controls of privileged access management. Industry contributions additionally highlight the need for Zero Standing Privileges (ZSP) and sound secrets management. See for example Syteca on ZSP as well as Syteca on secrets management.
Why do credentials slip through the cracks?
– Code and build pipelines: secrets persist in source code, IaC templates or container images.
– Firmware/appliances: vendor hardcodings or default accounts without enforced rotation.
– Helpdesk processes: password/MFA resets without strong identity verification – an anti-pattern to PAM.
– Shadow secrets: tokens in config files, scripts and CI logs that evade vulnerability management.
– Lack of discovery: without continuous secret scanning and rotation, blind spots emerge.
Best practices and industry recommendations: The principles of least privilege and ZSP are central guardrails for development and operations. An overview of the principle of least privilege can be found at Syteca; for current threat trends see, among others, SaaS Alerts 2024 trends.
Conclusion and action areas
Hardcoded passwords are a fundamentally avoidable attack vector. Whether in Aruba firmware (CVE-2025-37103), in the MySonicWall portal or through missing identity verification at the helpdesk – the patterns repeat: too much reliance on static secrets, too little governance for privileged access. For Swiss organisations the rule is: treat hardcoded passwords as a priority topic at the intersection of PAM, vulnerability management and a secure software supply chain.
We recommend the following next steps for decision-makers:
✓ Define mandate and scope: end-to-end secrets discovery across source code, CI/CD, container registries, firmware/appliances, cloud (IAM, secrets stores), databases and network devices. Prioritise internet-exposed systems.
✓ Form initial hypotheses: Where are hardcoded passwords and tokens most likely (legacy repos, scripts, test/demo images, default accounts, third-party portals)? Which privileged accesses are critical (admin portals, VPN, backup and orchestration access)?
✓ Set pre-filters for risk: label high-risk secrets (domain/tenant-wide admins, device backdoors, master API keys); prioritise rotation, MFA/phishing resistance (e.g. FIDO2/WebAuthn) and segmentation. Plan for automated secret revocation.
Further information and advisory
You want to systematically eliminate hardcoded passwords, manage secrets securely and make privileged access resilient? We support with assessments, secrets discovery enablement and roadmap workshops – aligned with best practices for privileged access management, zero standing privileges and continuous vulnerability management.
🎯 Key take-aways – act now
Some immediate conclusions for executive management and IT leaders:
✓ Eliminate hardcoded passwords consistently: Remove secrets from code, images and firmware configurations. Use central secret stores and enforce rotation. The Aruba case (CVE-2025-37103) illustrates the systemic relevance of hardcoded credentials.
✓ Anchor PAM and ZSP: Privileged access only just in time, with no standing rights. MFA for all privileged operations, complete audit logs. Guidance see Zero Standing Privileges.
✓ Rethink vulnerability management: Integrate secret scanning into CI/CD, repositories and container registries. Exposed, even encrypted credentials require rotation (SonicWall example; source: Bright Defense).
✓ Harden the helpdesk and enforce process discipline: No password or MFA resets without strong identity verification, approval workflows and four-eyes principle. The Cognizant–Clorox example shows the leverage of social engineering (CISO Series).