CVEbaza.plCWE DictionaryCWE-1393
Common Weakness Enumeration

CWE-1393

Use of Default Password

Category: BaseCVE: 40
Description

The product uses default passwords for potentially critical functionality.

Extended Description

It is common practice for products to be designed to use default passwords for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, then it makes it easier for attackers to quickly bypass authentication across multiple organizations. There are many lists of default passwords and default-password scanning tools that are easily available from the World Wide Web.

CVE vulnerabilities with CWE-1393 (40)
10.0
CVSS
CRITICAL
CVE-2025-26701

An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova and in PMM3 3.0.0-1.ova and later.

pub. 2025-03-11
9.8
CVSS
CRITICAL
CVE-2026-22886

OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.

pub. 2026-03-03
9.8
CVSS
CRITICAL
CVE-2025-8077

A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.

pub. 2025-09-17
9.8
CVSS
CRITICAL
CVE-2025-27690

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.

pub. 2025-04-10
9.8
CVSS
CRITICAL
CVE-2025-22938

Adtran 411 ONT L80.00.0011.M2 was discovered to contain weak default passwords.

pub. 2025-03-31
9.8
CVSS
CRITICAL
CVE-2024-50588

An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. In addition, this enables an attacker to create and overwrite arbitrary files on the server filesystem with the rights of the Firebird database ("NT AUTHORITY\SYSTEM").

pub. 2024-11-08
9.8
CVSS
CRITICAL
CVE-2023-45249

Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.

pub. 2024-07-24🚩 CISA KEV⚡ EXPLOIT
9.8
CVSS
CRITICAL
CVE-2024-30802

An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component.

pub. 2024-05-14
9.8
CVSS
CRITICAL
CVE-2024-29666

Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component.

pub. 2024-03-25
9.8
CVSS
CRITICAL
CVE-2023-24049

An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges on the device via poor credential management.

pub. 2023-12-04
9.8
CVSS
CRITICAL
CVE-2023-32090

Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials

pub. 2023-08-07
9.6
CVSS
CRITICAL
CVE-2022-4126

Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.This issue affects RCCMD: before 4.40 230207.

pub. 2023-03-27
9.4
CVSS
CRITICAL
CVE-2026-4404

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

pub. 2026-03-23
9.4
CVSS
CRITICAL
CVE-2023-25131

Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the 'admin' password.

pub. 2023-04-24
9.3
CVSS
CRITICAL
CVE-2026-35075

An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

pub. 2026-06-03
9.3
CVSS
CRITICAL
CVE-2026-33784

A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

pub. 2026-04-09
9.3
CVSS
CRITICAL
CVE-2026-24429

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface.

pub. 2026-01-26
9.3
CVSS
CRITICAL
CVE-2025-66050

Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.

pub. 2026-01-09
9.3
CVSS
CRITICAL
CVE-2025-26793

The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."

pub. 2025-02-15
9.3
CVSS
CRITICAL
CVE-2024-51555

Default Credentail vulnerabilities allows access to an Aspect device using publicly available default credentials since the system does not require the installer to change default credentials.  Affected products: ABB ASPECT - Enterprise v3.07.02; NEXUS Series v3.07.02; MATRIX Series v3.07.02

pub. 2024-12-05
Showing 20 of 40 vulnerabilities
Information
ID: CWE-1393
Type: Base
Vulnerabilities: 40
MITRE CWE ↗
← CWE Dictionary