Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1391 — Vulnerability Class 31

31 vulnerabilities classified as CWE-1391. AI Chinese analysis included.

CWE-1391 represents a critical authentication weakness where systems rely on easily guessable, derived, or static credentials like default keys or hard-coded passwords. Attackers typically exploit this vulnerability by bypassing brute-force protections, gaining unauthorized access through simple prediction or reuse of known default values rather than complex cracking. This flaw undermines the fundamental security assumption that credentials require significant effort to compromise. To prevent such breaches, developers must enforce strong credential policies, ensuring passwords meet complexity requirements and are never hardcoded in source code. Implementing dynamic key generation, secure storage mechanisms, and regular credential rotation further mitigates risk. By eliminating predictable authentication data and adhering to strict security standards, organizations can significantly reduce the attack surface and protect sensitive resources from trivial exploitation attempts.

MITRE CWE Description
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker. By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Hard-coded (i.e., static and unchangeable by the administrator) Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) Predictable (i.e., generated in a way that produces unique credentials across deployments/installations, but can still be guessed with reasonable efficiency) Previously Compromised (i.e., "leaked" credentials that were published as part of a data breach) Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An adversary could bypass intended authentication restrictions.
Mitigations (1)
Architecture and Design, OperationWhen the user changes or sets a password, check the password against a database of already compromised or breached passwords. These passwords are likely to be used in password guessing attacks.
Effectiveness: Moderate
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2026-8076 Weak credentials vulnerability in the CashDro 3 web administration panel — CashDro 3 Administration Panel 6.8AIMediumAI2026-05-08
CVE-2026-23853 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain 8.4 High2026-04-17
CVE-2026-24449 ELECOM WRC-X1500GS-B和ELECOM WRC-X1500GSA-B 安全漏洞 — WRC-X1500GS-B 7.5AIHighAI2026-02-03
CVE-2025-59103 Weak Default Passwords for SSH Access in dormakaba access manager — Access Manager 92xx-k5 9.8AICriticalAI2026-01-26
CVE-2026-22920 SICK TDC-X401GL 安全漏洞 — TDC-X401GL 3.7 Low2026-01-15
CVE-2026-22910 SICK TDC-X401GL 安全漏洞 — TDC-X401GL 7.5 High2026-01-15
CVE-2025-59460 Unsecure access configuration — TLOC100-100 with Firmware <7.1.1 7.5 High2025-10-27
CVE-2025-30519 Dover Fueling Solutions ProGauge MagLink LX4 Devices Use of Weak Credentials — ProGauge MagLink LX 4 9.8 Critical2025-09-18
CVE-2025-6737 Securden Unified PAM Shared SSH Key and Cloud Infrastructure — Unified PAM 7.2 High2025-08-25
CVE-2025-35970 FUJIFILM FRONTIER DX400W 安全漏洞 — Multiple EPSON product 7.5 High2025-08-07
CVE-2025-53558 ZTE ZXHN-F660T和ZTE ZXHN-F660A 安全漏洞 — ZXHN-F660T 9.8AICriticalAI2025-07-31
CVE-2025-6523 Devolutions Server 安全漏洞 — Server 9.1 -2025-07-22
CVE-2024-51978 Authentication bypass via default password generation affecting multiple models from Brother Industries, Ltd, Toshiba Tec, and Konica Minolta, Inc. — DCP-J928N-W/B 9.8 Critical2025-06-25
CVE-2025-4057 Activemq-artemis-operator: amq broker operator starting credentials reuse 5.5 Medium2025-05-26
CVE-2025-32471 Reuse of salt — SICK FLX3-CPUC200 3.7 Low2025-04-28
CVE-2025-2229 Philips Intellispace Cardiovascular (ISCV) Use of Weak Credentials — Intellispace Cardiovascular (ISCV) 7.7 High2025-03-13
CVE-2025-1081 Bharti Airtel Xstream Fiber WiFi Password weak credentials — Xstream Fiber 3.1 Low2025-02-06
CVE-2024-12728 Sophos Firewall 安全漏洞 — Sophos Firewall 9.8 Critical2024-12-19
CVE-2024-45722 Ruijie Reyee OS Use of Weak Credentials — Reyee OS 7.5 High2024-12-06
CVE-2024-43698 Kieback&Peter DDC4000 Series Use of Weak Credentials — DDC4040e 9.8 Critical2024-10-22
CVE-2024-45272 MB connect line/Helmholz: Generation of weak passwords vulnerability — mbCONNECT24 7.5 High2024-10-15
CVE-2024-40892 Firewalla BTLE Weak Credentials — Box Software 7.1 High2024-08-12
CVE-2024-32759 Johnson Controls Software House C●CURE 9000 installer password strength — Software House C•CURE 9000 9.8AICriticalAI2024-07-10
CVE-2024-5634 Longse LBH30FE200W 安全漏洞 — LBH30FE200W 9.8AICriticalAI2024-07-09
CVE-2024-21865 KDDI HGW BL1500HM 安全漏洞 — HGW BL1500HM 8.8AIHighAI2024-03-25
CVE-2024-29071 KDDI HGW BL1500HM 安全漏洞 — HGW BL1500HM 6.5AIMediumAI2024-03-25
CVE-2023-48257 Bosch Nexo cordless nutrunner 安全漏洞 — Nexo cordless nutrunner NXA015S-36V (0608842001) 7.8 High2024-01-10
CVE-2022-3010 Predictable SSH credentials in Priva TopControl Suite — TopControl Suite - Bacnet 7.5 High2024-01-02
CVE-2023-3470 BIG-IP FIPS HSM password vulnerability CVE-2023-3470 — BIG-IP 6.0 Medium2023-08-02
CVE-2023-0635 Privilege escalation to root — ASPECT®-Enterprise 7.8 High2023-06-05

Vulnerabilities classified as CWE-1391 represent 31 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.