CWE-1393
AllowedUse of Default Password
Abstraction: Base · Status: Incomplete
The product uses default passwords for potentially critical functionality.
72 vulnerabilities reference this CWE, most recent first.
GHSA-FHF4-QWRF-F48V
Vulnerability from github – Published: 2026-06-03 15:30 – Updated: 2026-06-03 15:30An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.
{
"affected": [],
"aliases": [
"CVE-2026-35075"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T13:16:19Z",
"severity": "CRITICAL"
},
"details": "An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.",
"id": "GHSA-fhf4-qwrf-f48v",
"modified": "2026-06-03T15:30:41Z",
"published": "2026-06-03T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35075"
},
{
"type": "WEB",
"url": "https://www.certvde.com/en/advisories/VDE-2026-039"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FPCV-V65P-WV5W
Vulnerability from github – Published: 2024-03-25 21:31 – Updated: 2024-08-27 21:31Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component.
{
"affected": [],
"aliases": [
"CVE-2024-29666"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-25T19:15:59Z",
"severity": "CRITICAL"
},
"details": "Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component.",
"id": "GHSA-fpcv-v65p-wv5w",
"modified": "2024-08-27T21:31:11Z",
"published": "2024-03-25T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29666"
},
{
"type": "WEB",
"url": "https://github.com/whgojp/cve-reports/wiki/There-is-a-weak-password-in-the-CMSV6-vehicle-monitoring-platform-system"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQMR-RQGW-FG3Q
Vulnerability from github – Published: 2025-05-27 21:32 – Updated: 2025-07-14 15:30ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password").
{
"affected": [],
"aliases": [
"CVE-2024-13966"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-27T19:15:24Z",
"severity": "MODERATE"
},
"details": "ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value \u0027123456\u0027. Users should change their passwords (located under the Attendance Settings tab as \"Self-Password\").",
"id": "GHSA-fqmr-rqgw-fg3q",
"modified": "2025-07-14T15:30:31Z",
"published": "2025-05-27T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13966"
},
{
"type": "WEB",
"url": "https://krashconsulting.com/fury-of-fingers-biotime-rce"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-148-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13966"
},
{
"type": "WEB",
"url": "https://www.zkteco.com/en/Security_Bulletinsibs/18"
},
{
"type": "WEB",
"url": "https://zkteco-store.ru/wp-content/uploads/2023/09/ZKBio-CVSecurity-6.0.0-User-Manual_EN-v1.0_20230616.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G6HM-R7F2-4J2F
Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 00:30A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.
vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
{
"affected": [],
"aliases": [
"CVE-2026-33784"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T22:16:27Z",
"severity": "CRITICAL"
},
"details": "A Use of Default Password vulnerability in the Juniper Networks \n\nSupport Insights (JSI) \n\nVirtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.\n\nvLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.",
"id": "GHSA-g6hm-r7f2-4j2f",
"modified": "2026-04-10T00:30:29Z",
"published": "2026-04-10T00:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33784"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA107871"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GQ3W-7JJ3-X7GR
Vulnerability from github – Published: 2026-02-21 00:31 – Updated: 2026-03-17 20:02This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mlflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0rc0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2635"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T20:02:55Z",
"nvd_published_at": "2026-02-20T23:16:05Z",
"severity": "CRITICAL"
},
"details": "This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.",
"id": "GHSA-gq3w-7jj3-x7gr",
"modified": "2026-03-17T20:02:55Z",
"published": "2026-02-21T00:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2635"
},
{
"type": "WEB",
"url": "https://github.com/mlflow/mlflow/pull/19260"
},
{
"type": "WEB",
"url": "https://github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4"
},
{
"type": "PACKAGE",
"url": "https://github.com/mlflow/mlflow"
},
{
"type": "WEB",
"url": "https://github.com/mlflow/mlflow/releases/tag/v3.8.0rc0"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-111"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "MLflow Use of Default Password Authentication Bypass Vulnerability"
}
GHSA-GQ6C-4C55-CXRW
Vulnerability from github – Published: 2025-08-29 00:31 – Updated: 2025-08-29 00:31A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-9589"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-28T22:15:33Z",
"severity": "LOW"
},
"details": "A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-gq6c-4c55-cxrw",
"modified": "2025-08-29T00:31:14Z",
"published": "2025-08-29T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9589"
},
{
"type": "WEB",
"url": "https://github.com/ZZ2266/.github.io/tree/main/Cudy"
},
{
"type": "WEB",
"url": "https://github.com/ZZ2266/.github.io/tree/main/Cudy#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.321761"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.321761"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.636138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HGP5-33WM-QQ74
Vulnerability from github – Published: 2025-03-03 21:30 – Updated: 2025-03-03 21:30A vulnerability has been found in i-Drive i11 and i12 up to 20250227 and classified as problematic. This vulnerability affects unknown code of the component WiFi. The manipulation leads to use of default password. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life.
{
"affected": [],
"aliases": [
"CVE-2025-1878"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-03T19:15:34Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in i-Drive i11 and i12 up to 20250227 and classified as problematic. This vulnerability affects unknown code of the component WiFi. The manipulation leads to use of default password. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life.",
"id": "GHSA-hgp5-33wm-qq74",
"modified": "2025-03-03T21:30:59Z",
"published": "2025-03-03T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1878"
},
{
"type": "WEB",
"url": "https://github.com/geo-chen/i-Drive"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.298192"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.298192"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.510949"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HHJ7-5V62-787Q
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords.
This issue affects Avantra: before 25.3.0.
{
"affected": [],
"aliases": [
"CVE-2026-8672"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-22T14:16:29Z",
"severity": "MODERATE"
},
"details": "Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords.\n\nThis issue affects Avantra: before 25.3.0.",
"id": "GHSA-hhj7-5v62-787q",
"modified": "2026-05-26T13:30:17Z",
"published": "2026-05-26T13:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8672"
},
{
"type": "WEB",
"url": "https://support.avantra.com/hc/en-us/articles/5535551609759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJ7X-HMF2-HC2P
Vulnerability from github – Published: 2026-03-23 15:30 – Updated: 2026-03-25 20:10Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4404"
],
"database_specific": {
"cwe_ids": [
"CWE-1393",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T20:10:56Z",
"nvd_published_at": "2026-03-23T15:16:35Z",
"severity": "CRITICAL"
},
"details": "Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.",
"id": "GHSA-hj7x-hmf2-hc2p",
"modified": "2026-03-25T20:10:56Z",
"published": "2026-03-23T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4404"
},
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/issues/1937"
},
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/pull/22751"
},
{
"type": "PACKAGE",
"url": "https://github.com/goharbor/harbor"
},
{
"type": "WEB",
"url": "https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/577436"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Harbor allows the use of the default password for web UI login"
}
GHSA-M77Q-7JWW-HHF9
Vulnerability from github – Published: 2025-04-10 03:31 – Updated: 2025-04-10 03:31Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.
{
"affected": [],
"aliases": [
"CVE-2025-27690"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-10T03:15:19Z",
"severity": "CRITICAL"
},
"details": "Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.",
"id": "GHSA-m77q-7jww-hhf9",
"modified": "2025-04-10T03:31:32Z",
"published": "2025-04-10T03:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27690"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000300860/dsa-2025-119-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
Mitigation
Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.
Mitigation
Force the administrator to change the credential upon installation.
Mitigation
The product administrator could change the defaults upon installation or during operation.
No CAPEC attack patterns related to this CWE.