CWE-798 is the weakness category for hard-coded credentials: usernames, passwords, tokens, or keys built directly into software instead of being set securely at deployment time. These values often appear in source code, default templates, configuration files, or initialization logic, and they become dangerous when they are never changed or are easy to recover.
In cyber security, hard-coded credentials matter because they can bypass normal authentication entirely. Attackers look for them in firmware, admin portals, mobile apps, and embedded systems, where a hidden default login may expose a privileged interface. Defenders treat CWE-798 as a design and operations problem: remove embedded secrets, require unique credentials on first use, store secrets in protected vaults, and scan code and binaries for defaults before release. If a system must ship with an initial credential, it should be random, documented only for setup, and forced to expire immediately.