Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1391 — Vulnerability Class 31

31 vulnerabilities classified as CWE-1391. AI Chinese analysis included.

CWE-1391 represents a critical authentication weakness where systems rely on easily guessable, derived, or static credentials like default keys or hard-coded passwords. Attackers typically exploit this vulnerability by bypassing brute-force protections, gaining unauthorized access through simple prediction or reuse of known default values rather than complex cracking. This flaw undermines the fundamental security assumption that credentials require significant effort to compromise. To prevent such breaches, developers must enforce strong credential policies, ensuring passwords meet complexity requirements and are never hardcoded in source code. Implementing dynamic key generation, secure storage mechanisms, and regular credential rotation further mitigates risk. By eliminating predictable authentication data and adhering to strict security standards, organizations can significantly reduce the attack surface and protect sensitive resources from trivial exploitation attempts.

MITRE CWE Description
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker. By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Hard-coded (i.e., static and unchangeable by the administrator) Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) Predictable (i.e., generated in a way that produces unique credentials across deployments/installations, but can still be guessed with reasonable efficiency) Previously Compromised (i.e., "leaked" credentials that were published as part of a data breach) Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An adversary could bypass intended authentication restrictions.
Mitigations (1)
Architecture and Design, OperationWhen the user changes or sets a password, check the password against a database of already compromised or breached passwords. These passwords are likely to be used in password guessing attacks.
Effectiveness: Moderate
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2023-31240 Snap One OvrC Pro 信任管理问题漏洞 — OvrC Cloud 8.3 High2023-05-22

Vulnerabilities classified as CWE-1391 represent 31 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.