CVEbaza.plCWE DictionaryCWE-1392
Common Weakness Enumeration

CWE-1392

Use of Default Credentials

Category: BaseCVE: 104
Description

The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.

Extended Description

It is common practice for products to be designed to use default keys, passwords, or other mechanisms for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.

CVE vulnerabilities with CWE-1392 (104)
10.0
CVSS
CRITICAL
CVE-2025-12218

Weak Default Credentials.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

pub. 2025-10-25
10.0
CVSS
CRITICAL
CVE-2025-55051

CWE-1392: Use of Default Credentials

pub. 2025-09-09
10.0
CVSS
CRITICAL
CVE-2023-3703

Proscend Advice ICR Series routers FW version 1.76 - CWE-1392: Use of Default Credentials

pub. 2023-09-03
9.9
CVSS
CRITICAL
CVE-2026-46386

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. Combined with cookies_serializer = :marshal, this gives any logged-in user a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader This vulnerability is fixed in .

pub. 2026-06-26
9.8
CVSS
CRITICAL
CVE-2026-45039

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2.

pub. 2026-05-28
9.8
CVSS
CRITICAL
CVE-2026-42072

Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database — with its default admin:password credentials — to any device sharing the network. This issue has been patched in version 1.0.42-hotfix.

pub. 2026-05-08
9.8
CVSS
CRITICAL
CVE-2026-22886

OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.

pub. 2026-03-03
9.8
CVSS
CRITICAL
CVE-2025-54303

The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges.

pub. 2025-12-04
9.8
CVSS
CRITICAL
CVE-2025-10542

iMonitor EAM 9.6394 ships with default administrative credentials that are also displayed within the management client’s connection dialog. If the administrator does not change these defaults, a remote attacker can authenticate to the EAM server and gain full control over monitored agents and data. This enables reading highly sensitive telemetry (including keylogger output) and issuing arbitrary actions to all connected clients.

pub. 2025-09-25
9.8
CVSS
CRITICAL
CVE-2025-51536

Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password.

pub. 2025-08-04
9.8
CVSS
CRITICAL
CVE-2025-30139

An issue was discovered on G-Net Dashcam BB GONX devices. Default credentials for SSID cannot be changed. It broadcasts a fixed SSID with default credentials that cannot be changed. This allows any nearby attacker to connect to the dashcam's network without restriction. Once connected, an attacker can sniff on connected devices such as the user's smartphone. The SSID is also always broadcasted.

pub. 2025-03-18
9.8
CVSS
CRITICAL
CVE-2024-29844

Default credentials on the Web Interface of Evolution Controller 2.x allows anyone to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the password. There is no warning or prompt to ask the user to change the default password.

pub. 2024-04-15
9.8
CVSS
CRITICAL
CVE-2023-49621

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.7). The "intermediate installation" system state of the affected application uses default credential with admin privileges. An attacker could use the credentials to gain complete control of the affected device.

pub. 2024-01-09
9.8
CVSS
CRITICAL
CVE-2023-30801

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

pub. 2023-10-10
9.8
CVSS
CRITICAL
CVE-2023-30603

Hitron Technologies CODA-5310 Telnet function with the default account and password, and there is no warning or prompt to ask users to change the default password and account. An unauthenticated remote attackers can exploit this vulnerability to obtain the administrator’s privilege, resulting in performing arbitrary system operation or disrupt service.

pub. 2023-06-02
9.5
CVSS
CRITICAL
CVE-2024-7746

Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse.This issue affects the privileged transactions implemented by the Traccar solution that should otherwise be protected by the authentication mechanism.  These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability.

pub. 2024-08-13
9.3
CVSS
CRITICAL
CVE-2026-58466

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.

pub. 2026-07-02
9.3
CVSS
CRITICAL
CVE-2026-58453

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.

pub. 2026-07-01
9.3
CVSS
CRITICAL
CVE-2026-44159

Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021.

pub. 2026-05-19
9.3
CVSS
CRITICAL
CVE-2026-27751

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attackers can authenticate using the hardcoded default credentials without password change enforcement to gain full administrative control of the device.

pub. 2026-02-27
Showing 20 of 104 vulnerabilities
Information
ID: CWE-1392
Type: Base
Vulnerabilities: 104
MITRE CWE ↗
← CWE Dictionary