CWE-1393
AllowedUse of Default Password
Abstraction: Base · Status: Incomplete
The product uses default passwords for potentially critical functionality.
72 vulnerabilities reference this CWE, most recent first.
GHSA-X8V9-7R66-C92W
Vulnerability from github – Published: 2025-02-15 15:30 – Updated: 2025-02-24 18:32The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
{
"affected": [],
"aliases": [
"CVE-2025-26793"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-15T15:15:23Z",
"severity": "CRITICAL"
},
"details": "The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents\u0027 PII. NOTE: the Supplier\u0027s perspective is that the \"vulnerable systems are not following manufacturers\u0027 recommendations to change the default password.\"",
"id": "GHSA-x8v9-7r66-c92w",
"modified": "2025-02-24T18:32:36Z",
"published": "2025-02-15T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26793"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=43160884"
},
{
"type": "WEB",
"url": "https://support.identiv.com/products/physical-access/hirsch"
},
{
"type": "WEB",
"url": "https://www.ericdaigle.ca/posts/breaking-into-dozens-of-apartments-in-five-minutes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:S/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XWMM-QMXV-WFH3
Vulnerability from github – Published: 2026-01-26 18:31 – Updated: 2026-01-29 15:30Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface.
{
"affected": [],
"aliases": [
"CVE-2026-24429"
],
"database_specific": {
"cwe_ids": [
"CWE-1393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-26T18:16:40Z",
"severity": "CRITICAL"
},
"details": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface.",
"id": "GHSA-xwmm-qmxv-wfh3",
"modified": "2026-01-29T15:30:26Z",
"published": "2026-01-26T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24429"
},
{
"type": "WEB",
"url": "https://www.tendacn.com/product/W30E"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
Mitigation
Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.
Mitigation
Force the administrator to change the credential upon installation.
Mitigation
The product administrator could change the defaults upon installation or during operation.
No CAPEC attack patterns related to this CWE.