Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1393 — Vulnerability Class 27

27 vulnerabilities classified as CWE-1393. AI Chinese analysis included.

CWE-1393 represents a critical authentication weakness where software systems retain hardcoded default passwords for administrative or critical user accounts. This flaw is typically exploited by attackers who scan for known default credentials, allowing them to bypass authentication mechanisms and gain unauthorized access to sensitive data or system controls without needing to crack complex passwords. The ease of this attack stems from the widespread assumption that administrators will change these initial settings, which often goes unfulfilled in production environments. To mitigate this risk, developers must enforce mandatory password changes during the initial setup process, ensuring that default credentials cannot be used for persistent access. Additionally, implementing strong password policies and removing default accounts entirely from final builds significantly reduces the attack surface, preventing trivial exploitation by automated tools and malicious actors alike.

MITRE CWE Description
The product uses default passwords for potentially critical functionality. It is common practice for products to be designed to use default passwords for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, then it makes it easier for attackers to quickly bypass authentication across multiple organizations. There are many lists of default passwords and default-password scanning tools that are easily available from the World Wide Web.
Common Consequences (1)
AuthenticationGain Privileges or Assume Identity
Mitigations (4)
RequirementsProhibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
Effectiveness: High
DocumentationEnsure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.
Effectiveness: Limited
Architecture and DesignForce the administrator to change the credential upon installation.
Effectiveness: High
Installation, OperationThe product administrator could change the defaults upon installation or during operation.
Effectiveness: Moderate
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2026-33784 JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access — JSI LWC 9.8 Critical2026-04-09
CVE-2025-14917 IBM WebSphere Application Server Liberty could provide weaker than expected security — WebSphere Application Server - Liberty 6.7 Medium2026-03-25
CVE-2026-3186 feiyuchuixue sz-boot-parent Password Reset password default password — sz-boot-parent 6.3 Medium2026-02-25
CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability — MLflow 9.8AICriticalAI2026-02-20
CVE-2026-24429 Tenda W30E V2 Hardcoded Default Password for Built-in Account — W30E V2 9.8AICriticalAI2026-01-26
CVE-2025-66050 No password set for administrative account in Vivotek IP7137 cameras — IP7137 9.8 -2026-01-09
CVE-2025-8077 NeuVector admin account has insecure default password — neuvector 9.8 Critical2025-09-17
CVE-2025-43799 Liferay Portal和Liferay DXP 安全漏洞 — Portal 8.2AIHighAI2025-09-15
CVE-2025-9589 Cudy WR1200EA shadow default password — WR1200EA 2.5 Low2025-08-28
CVE-2025-43021 Poly Clariti Manager - Multiple Security Vulnerabilities — Poly Clariti Manager 7.5 -2025-07-22
CVE-2025-2766 70mai A510 Use of Default Password Authentication Bypass Vulnerability — A510 8.8AIHighAI2025-06-06
CVE-2024-13966 ZKTeco BioTime default password — BioTime 7.3 High2025-05-27
CVE-2025-27690 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 9.8 Critical2025-04-10
CVE-2025-2921 Netis WF-2404 passwd default password — WF-2404 6.4 Medium2025-03-28
CVE-2024-49559 Dell SmartFabric OS10 安全漏洞 — SmartFabric OS10 Software 8.8 High2025-03-17
CVE-2025-2347 IROAD Dash Cam FX2 Device Registration default password — Dash Cam FX2 6.3 Medium2025-03-16
CVE-2025-26701 Percona PMM Server 安全漏洞 — Monitoring and Management 10.0 Critical2025-03-11
CVE-2025-1878 i-Drive i11/i12 WiFi default password — i11 3.1 Low2025-03-03
CVE-2025-26793 Hirsch Enterphone MESH 安全漏洞 — Enterphone MESH 9.1 -2025-02-15
CVE-2024-51555 Force Change of Default Credentials — ASPECT-Enterprise 10.0 Critical2024-12-05
CVE-2024-50588 Unprotected Exposed Firebird Database with default credentials — Elefant 8.8 -2024-11-08
CVE-2023-45249 Acronis Cyber Infrastructure 安全漏洞 — Acronis Cyber Infrastructure 9.8AICriticalAI2024-07-24
CVE-2023-43042 IBM Storage Virtualize information disclosure — Storage Virtualize 7.5 High2023-12-14
CVE-2023-32090 Pegasystem PEGA Platform 授权问题漏洞 — Pega Platform 9.8 Critical2023-08-07
CVE-2023-28094 Pegasystem PEGA Platform 安全漏洞 — Pega Platform 8.1 High2023-06-22
CVE-2023-25131 Use of default password vulnerability in CyberPower PowerPanel Business — PowerPanel Business Local / Remote 9.4 Critical2023-04-24
CVE-2022-4126 Use of Default Password — RCCMD 9.6 Critical2023-03-27

Vulnerabilities classified as CWE-1393 represent 27 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.