Common Weakness Enumeration

CWE-1393

Allowed

Use of Default Password

Abstraction: Base · Status: Incomplete

The product uses default passwords for potentially critical functionality.

72 vulnerabilities reference this CWE, most recent first.

GHSA-FHF4-QWRF-F48V

Vulnerability from github – Published: 2026-06-03 15:30 – Updated: 2026-06-03 15:30
VLAI
Details

An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-35075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-03T13:16:19Z",
    "severity": "CRITICAL"
  },
  "details": "An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.",
  "id": "GHSA-fhf4-qwrf-f48v",
  "modified": "2026-06-03T15:30:41Z",
  "published": "2026-06-03T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35075"
    },
    {
      "type": "WEB",
      "url": "https://www.certvde.com/en/advisories/VDE-2026-039"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FPCV-V65P-WV5W

Vulnerability from github – Published: 2024-03-25 21:31 – Updated: 2024-08-27 21:31
VLAI
Details

Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-25T19:15:59Z",
    "severity": "CRITICAL"
  },
  "details": "Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component.",
  "id": "GHSA-fpcv-v65p-wv5w",
  "modified": "2024-08-27T21:31:11Z",
  "published": "2024-03-25T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/whgojp/cve-reports/wiki/There-is-a-weak-password-in-the-CMSV6-vehicle-monitoring-platform-system"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQMR-RQGW-FG3Q

Vulnerability from github – Published: 2025-05-27 21:32 – Updated: 2025-07-14 15:30
VLAI
Details

ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-27T19:15:24Z",
    "severity": "MODERATE"
  },
  "details": "ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value \u0027123456\u0027. Users should change their passwords (located under the Attendance Settings tab as \"Self-Password\").",
  "id": "GHSA-fqmr-rqgw-fg3q",
  "modified": "2025-07-14T15:30:31Z",
  "published": "2025-05-27T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13966"
    },
    {
      "type": "WEB",
      "url": "https://krashconsulting.com/fury-of-fingers-biotime-rce"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-148-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-13966"
    },
    {
      "type": "WEB",
      "url": "https://www.zkteco.com/en/Security_Bulletinsibs/18"
    },
    {
      "type": "WEB",
      "url": "https://zkteco-store.ru/wp-content/uploads/2023/09/ZKBio-CVSecurity-6.0.0-User-Manual_EN-v1.0_20230616.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G6HM-R7F2-4J2F

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 00:30
VLAI
Details

A Use of Default Password vulnerability in the Juniper Networks

Support Insights (JSI)

Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.

vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T22:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "A Use of Default Password vulnerability in the Juniper Networks \n\nSupport Insights (JSI) \n\nVirtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.\n\nvLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.",
  "id": "GHSA-g6hm-r7f2-4j2f",
  "modified": "2026-04-10T00:30:29Z",
  "published": "2026-04-10T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33784"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA107871"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GQ3W-7JJ3-X7GR

Vulnerability from github – Published: 2026-02-21 00:31 – Updated: 2026-03-17 20:02
VLAI
Summary
MLflow Use of Default Password Authentication Bypass Vulnerability
Details

This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.0rc0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T20:02:55Z",
    "nvd_published_at": "2026-02-20T23:16:05Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.",
  "id": "GHSA-gq3w-7jj3-x7gr",
  "modified": "2026-03-17T20:02:55Z",
  "published": "2026-02-21T00:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/pull/19260"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/releases/tag/v3.8.0rc0"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-111"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MLflow Use of Default Password Authentication Bypass Vulnerability"
}

GHSA-GQ6C-4C55-CXRW

Vulnerability from github – Published: 2025-08-29 00:31 – Updated: 2025-08-29 00:31
VLAI
Details

A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9589"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-28T22:15:33Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-gq6c-4c55-cxrw",
  "modified": "2025-08-29T00:31:14Z",
  "published": "2025-08-29T00:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9589"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZZ2266/.github.io/tree/main/Cudy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZZ2266/.github.io/tree/main/Cudy#steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.321761"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.321761"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.636138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HGP5-33WM-QQ74

Vulnerability from github – Published: 2025-03-03 21:30 – Updated: 2025-03-03 21:30
VLAI
Details

A vulnerability has been found in i-Drive i11 and i12 up to 20250227 and classified as problematic. This vulnerability affects unknown code of the component WiFi. The manipulation leads to use of default password. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-03T19:15:34Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in i-Drive i11 and i12 up to 20250227 and classified as problematic. This vulnerability affects unknown code of the component WiFi. The manipulation leads to use of default password. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life.",
  "id": "GHSA-hgp5-33wm-qq74",
  "modified": "2025-03-03T21:30:59Z",
  "published": "2025-03-03T21:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1878"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geo-chen/i-Drive"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.298192"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.298192"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.510949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HHJ7-5V62-787Q

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords.

This issue affects Avantra: before 25.3.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-22T14:16:29Z",
    "severity": "MODERATE"
  },
  "details": "Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords.\n\nThis issue affects Avantra: before 25.3.0.",
  "id": "GHSA-hhj7-5v62-787q",
  "modified": "2026-05-26T13:30:17Z",
  "published": "2026-05-26T13:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8672"
    },
    {
      "type": "WEB",
      "url": "https://support.avantra.com/hc/en-us/articles/5535551609759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ7X-HMF2-HC2P

Vulnerability from github – Published: 2026-03-23 15:30 – Updated: 2026-03-25 20:10
VLAI
Summary
Harbor allows the use of the default password for web UI login
Details

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393",
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T20:10:56Z",
    "nvd_published_at": "2026-03-23T15:16:35Z",
    "severity": "CRITICAL"
  },
  "details": "Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.",
  "id": "GHSA-hj7x-hmf2-hc2p",
  "modified": "2026-03-25T20:10:56Z",
  "published": "2026-03-23T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4404"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/issues/1937"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/pull/22751"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goharbor/harbor"
    },
    {
      "type": "WEB",
      "url": "https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/577436"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Harbor allows the use of the default password for web UI login"
}

GHSA-M77Q-7JWW-HHF9

Vulnerability from github – Published: 2025-04-10 03:31 – Updated: 2025-04-10 03:31
VLAI
Details

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1393"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-10T03:15:19Z",
    "severity": "CRITICAL"
  },
  "details": "Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.0, contains a use of default password vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the takeover of a high privileged user account.",
  "id": "GHSA-m77q-7jww-hhf9",
  "modified": "2025-04-10T03:31:32Z",
  "published": "2025-04-10T03:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27690"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000300860/dsa-2025-119-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Mitigation
Documentation

Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.

Mitigation
Architecture and Design

Force the administrator to change the credential upon installation.

Mitigation
Installation Operation

The product administrator could change the defaults upon installation or during operation.

No CAPEC attack patterns related to this CWE.