Common Weakness Enumeration

CWE-1393

Allowed

Use of Default Password

Abstraction: Base · Status: Incomplete

The product uses default passwords for potentially critical functionality.

72 vulnerabilities reference this CWE, most recent first.

CVE-2023-32090 (GCVE-0-2023-32090)

Vulnerability from cvelistv5 – Published: 2023-08-07 11:53 – Updated: 2024-10-09 18:13
VLAI
Summary
Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Pegasystems Pega Platform Affected: 6.1 , ≤ 7.3.1 (custom)
Create a notification for this product.
pegasystems pega_platform Affected: 6.1 , ≤ 7.3.1 (custom)
    cpe:2.3:a:pegasystems:pega_platform:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Mohamad Shokor
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:03:28.943Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:pegasystems:pega_platform:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "pega_platform",
            "vendor": "pegasystems",
            "versions": [
              {
                "lessThanOrEqual": "7.3.1",
                "status": "affected",
                "version": "6.1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32090",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-09T17:55:40.791064Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-09T18:13:45.110Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pega Platform",
          "vendor": "Pegasystems",
          "versions": [
            {
              "lessThanOrEqual": "7.3.1",
              "status": "affected",
              "version": "6.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Mohamad Shokor"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
            }
          ],
          "value": "Pega platform clients who are using versions 6.1 through 7.3.1 may be\nutilizing default credentials\n\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-70",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-70 Try Common or Default Usernames and Passwords"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1393",
              "description": "CWE-1393 Use of Default Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-07T11:53:48.738Z",
        "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "shortName": "Pega"
      },
      "references": [
        {
          "url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
    "assignerShortName": "Pega",
    "cveId": "CVE-2023-32090",
    "datePublished": "2023-08-07T11:53:48.738Z",
    "dateReserved": "2023-05-01T21:15:33.974Z",
    "dateUpdated": "2024-10-09T18:13:45.110Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-28094 (GCVE-0-2023-28094)

Vulnerability from cvelistv5 – Published: 2023-06-22 00:00 – Updated: 2024-12-06 21:20
VLAI
Summary
Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Pegasystems Pega Platform Affected: 7.4 , < unspecified (custom)
Affected: unspecified , < 8.8.* (custom)
Create a notification for this product.
Credits
Mohamad Shokor
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:30:24.140Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-28094",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-06T21:20:34.551749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-06T21:20:43.179Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pega Platform",
          "vendor": "Pegasystems",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.4",
              "versionType": "custom"
            },
            {
              "lessThan": "8.8.*",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Mohamad Shokor"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
            }
          ],
          "value": "Pega platform clients who are using versions 7.4 through 8.8.x and have upgraded from a version prior to 8.x may be utilizing default credentials."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1393",
              "description": "CWE-1393: Use of Default Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-05T07:26:35.937Z",
        "orgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
        "shortName": "Pega"
      },
      "references": [
        {
          "url": "https://support.pega.com/support-doc/pega-security-advisory-%E2%80%93-c23-vulnerability-default-operators?"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c91e5604-2bd1-401f-a0ec-b25342b57ef9",
    "assignerShortName": "Pega",
    "cveId": "CVE-2023-28094",
    "datePublished": "2023-06-22T00:00:00.000Z",
    "dateReserved": "2023-03-10T00:00:00.000Z",
    "dateUpdated": "2024-12-06T21:20:43.179Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-25131 (GCVE-0-2023-25131)

Vulnerability from cvelistv5 – Published: 2023-04-24 00:00 – Updated: 2025-02-04 17:25
VLAI
Title
Use of default password vulnerability in CyberPower PowerPanel Business
Summary
Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the 'admin' password.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
CyberPower PowerPanel Business Local / Remote Affected: unspecified , ≤ v4.8.6 (custom)
Create a notification for this product.
CyberPower PowerPanel Business Management Affected: unspecified , ≤ v4.8.6 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:18:35.329Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://zuso.ai/Advisory/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25131",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T17:25:46.888522Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T17:25:51.219Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "windows, MacOS, Linux"
          ],
          "product": "PowerPanel Business Local / Remote",
          "vendor": "CyberPower",
          "versions": [
            {
              "lessThanOrEqual": "v4.8.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "windows, MacOS, Linux"
          ],
          "product": "PowerPanel Business Management",
          "vendor": "CyberPower",
          "versions": [
            {
              "lessThanOrEqual": "v4.8.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the \u0027admin\u0027 password."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1393",
              "description": "CWE-1393 Use of Default Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-24T00:00:00.000Z",
        "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "shortName": "ZUSO ART"
      },
      "references": [
        {
          "url": "https://zuso.ai/Advisory/"
        },
        {
          "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
        },
        {
          "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
        },
        {
          "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
        },
        {
          "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
        }
      ],
      "source": {
        "defect": [
          "ZA-2023-01"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Use of default password vulnerability in CyberPower PowerPanel Business",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
    "assignerShortName": "ZUSO ART",
    "cveId": "CVE-2023-25131",
    "datePublished": "2023-04-24T00:00:00.000Z",
    "dateReserved": "2023-02-02T00:00:00.000Z",
    "dateUpdated": "2025-02-04T17:25:51.219Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-4126 (GCVE-0-2022-4126)

Vulnerability from cvelistv5 – Published: 2023-03-27 04:46 – Updated: 2025-02-19 16:26
VLAI
Title
Use of Default Password
Summary
Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.This issue affects RCCMD: before 4.40 230207.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
ABB
References
Impacted products
Vendor Product Version
ABB RCCMD Affected: 0 , < 4.40 230207 (custom)
Create a notification for this product.
Date Public
2023-03-27 07:59
Credits
ABB thanks Pablo Valle Alvear from Titanium Industrial Security for finding the vulnerability and protecting our customers.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:27:54.492Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=2CMT006099_EN\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-4126",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-19T16:26:51.596243Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-19T16:26:56.266Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux",
            "MacOS"
          ],
          "product": "RCCMD",
          "vendor": "ABB",
          "versions": [
            {
              "lessThan": "4.40 230207",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "ABB thanks Pablo Valle Alvear from Titanium Industrial Security for finding the vulnerability and protecting our customers."
        }
      ],
      "datePublic": "2023-03-27T07:59:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.\u003cp\u003eThis issue affects RCCMD: before 4.40 230207.\u003c/p\u003e"
            }
          ],
          "value": "Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.This issue affects RCCMD: before 4.40 230207.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-70",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-70 Try Common or Default Usernames and Passwords"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1393",
              "description": "CWE-1393 Use of Default Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-27T04:46:02.128Z",
        "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
        "shortName": "ABB"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=2CMT006099_EN\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Use of Default Password",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
    "assignerShortName": "ABB",
    "cveId": "CVE-2022-4126",
    "datePublished": "2023-03-27T04:46:02.128Z",
    "dateReserved": "2022-11-23T10:12:14.624Z",
    "dateUpdated": "2025-02-19T16:26:56.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-429P-HFV2-984F

Vulnerability from github – Published: 2025-03-31 15:30 – Updated: 2025-08-18 18:30
VLAI
Details

Adtran 411 ONT L80.00.0011.M2 was discovered to contain weak default passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T15:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "Adtran 411 ONT L80.00.0011.M2 was discovered to contain weak default passwords.",
  "id": "GHSA-429p-hfv2-984f",
  "modified": "2025-08-18T18:30:33Z",
  "published": "2025-03-31T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22938"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1levaZk5aC6g6a2zPW8xlOIVAu9MFYvAz/view"
    },
    {
      "type": "WEB",
      "url": "https://lanrat.com/posts/adtran-isp-hacking"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-436F-FMH9-32GQ

Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-25 21:30
VLAI
Details

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T21:16:24Z",
    "severity": "MODERATE"
  },
  "details": "IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.",
  "id": "GHSA-436f-fmh9-32gq",
  "modified": "2026-03-25T21:30:36Z",
  "published": "2026-03-25T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14917"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7267362"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43XF-59VR-G4F2

Vulnerability from github – Published: 2025-09-15 21:30 – Updated: 2025-09-16 00:00
VLAI
Summary
Liferay Portal Uses Default Password
Details

Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.0"
            },
            {
              "fixed": "7.4.3.112"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-16T00:00:14Z",
    "nvd_published_at": "2025-09-15T21:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API.",
  "id": "GHSA-43xf-59vr-g4f2",
  "modified": "2025-09-16T00:00:14Z",
  "published": "2025-09-15T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43799"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43799"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal Uses Default Password"
}

GHSA-57QH-VMJR-5JXG

Vulnerability from github – Published: 2024-10-11 15:30 – Updated: 2025-03-25 20:10
VLAI
Summary
Snipe-IT remote code execution
Details

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "snipe/snipe-it"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-48987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-11T17:47:51Z",
    "nvd_published_at": "2024-10-11T13:15:16Z",
    "severity": "HIGH"
  },
  "details": "Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product\u0027s repository, that have default APP_KEY values.",
  "id": "GHSA-57qh-vmjr-5jxg",
  "modified": "2025-03-25T20:10:32Z",
  "published": "2024-10-11T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48987"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/snipe/snipe-it"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snipe/snipe-it/releases/tag/v7.0.10"
    },
    {
      "type": "WEB",
      "url": "https://snipe-it.readme.io/docs/key-rotation"
    },
    {
      "type": "WEB",
      "url": "https://www.synacktiv.com/advisories/snipe-it-unauthenticated-remote-command-execution-when-appkey-known"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Snipe-IT remote code execution"
}

GHSA-6JRJ-GPHG-P8MJ

Vulnerability from github – Published: 2026-07-15 00:31 – Updated: 2026-07-15 00:31
VLAI
Details

In Ciena's Navigator Network Control Suite (NCS) and Manage Control Plan (MCP), there are hidden system accounts used for internal software operations. Some of these accounts have default passwords that may be predictable. While these accounts have very limited permissions on their own, an attacker could combine an attack using one of these accounts with other potential weaknesses to launch a more significant attack, possibly leading to escalation of privilege on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T23:17:34Z",
    "severity": null
  },
  "details": "In Ciena\u0027s Navigator Network Control Suite (NCS) and Manage Control Plan (MCP), there are hidden system accounts used for internal software operations. Some of these accounts have default passwords that may be predictable. While these accounts have very limited permissions on their own, an attacker could combine an attack using one of these accounts with other potential weaknesses to launch a more significant attack, possibly leading to escalation of privilege on the system.",
  "id": "GHSA-6jrj-gphg-p8mj",
  "modified": "2026-07-15T00:31:43Z",
  "published": "2026-07-15T00:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5269"
    },
    {
      "type": "WEB",
      "url": "https://www.ciena.com/product-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7478-8PWJ-VCWR

Vulnerability from github – Published: 2025-06-06 21:30 – Updated: 2025-06-06 21:30
VLAI
Details

70mai A510 Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of 70mai A510. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the default configuration of user accounts. The configuration contains default password. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the root. Was ZDI-CAN-24996.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T19:15:26Z",
    "severity": "HIGH"
  },
  "details": "70mai A510 Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of 70mai A510. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the default configuration of user accounts. The configuration contains default password. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the root. Was ZDI-CAN-24996.",
  "id": "GHSA-7478-8pwj-vcwr",
  "modified": "2025-06-06T21:30:27Z",
  "published": "2025-06-06T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2766"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-180"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Mitigation
Documentation

Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.

Mitigation
Architecture and Design

Force the administrator to change the credential upon installation.

Mitigation
Installation Operation

The product administrator could change the defaults upon installation or during operation.

No CAPEC attack patterns related to this CWE.