Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-521 (弱口令要求) — Vulnerability Class 111

111 vulnerabilities classified as CWE-521 (弱口令要求). AI Chinese analysis included.

CWE-521 represents a critical authentication weakness where software fails to enforce robust password policies, allowing users to select trivially guessable credentials. Attackers typically exploit this vulnerability through offline brute-force or dictionary attacks, rapidly compromising accounts by testing common words, simple patterns, or previously leaked password databases against the weak hashes. Because the system permits low-entropy secrets, the computational effort required to breach accounts is significantly reduced, facilitating unauthorized access and potential data exfiltration. To mitigate this risk, developers must implement strict validation mechanisms that mandate minimum length, complexity, and uniqueness requirements. By integrating real-time feedback and checking against known compromised password lists during registration, organizations can ensure users create strong, resilient passwords that withstand automated cracking attempts and protect sensitive system resources.

MITRE CWE Description
The product does not require that users should have strong passwords.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could easily guess user passwords and gain access user accounts.
Mitigations (4)
Architecture and DesignA product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes: Enforcement of a minimum and maximum length Restrictions against password reuse Restrictions against using common passwords Restrictions against using contextual string in the password (e.g., …
Architecture and DesignConsider a second authentication factor beyond the password, which prevents the password from being a single point of failure. See CWE-308 for further information.
ImplementationConsider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
ImplementationPreviously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and…
Effectiveness: Discouraged Common Practice
CVE IDTitleCVSSSeverityPublished
CVE-2026-41038 Weak Password Policy Vulnerability in Quantum Networks Router QN-I-470 — Router QN-I-470 8.8AIHighAI2026-04-21
CVE-2026-6284 Horner Automation Cscape and XL4, XL7 PLC Weak password requirements — Cscape 9.1 Critical2026-04-17
CVE-2026-33771 CTP OS: Configuring password requirements does not work which permits the use of weak passwords — CTP OS 7.4 High2026-04-09
CVE-2026-34203 Nautobot: Management of users via REST API does not apply configured password validators — nautobot 2.7 Low2026-03-31
CVE-2025-55269 HCL Aftermarket DPC is affected by Weak Password Policy vulnerability — Aftermarket DPC 4.2 Medium2026-03-26
CVE-2026-27575 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change — vikunja 9.1 Critical2026-02-25
CVE-2026-25715 Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements — USR-W610 9.8 Critical2026-02-20
CVE-2026-1408 Beetel 777VR1 UART weak password — 777VR1 2.0 Low2026-01-25
CVE-2025-55252 HCL AION is affected by a Weak Password Policy vulnerability — AION 3.1 Low2026-01-19
CVE-2025-68963 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 5.7 Medium2026-01-14
CVE-2025-23408 Apache Fineract: weak password policy — Apache Fineract 9.8AICriticalAI2025-12-12
CVE-2025-67513 FreePBX Endpoint Manager's Weak Default Password Allows Unauthenticated Access in Endpoint Module REST API — endpoint 9.8AICriticalAI2025-12-10
CVE-2025-65014 LibreNMS has Weak Password Policy — librenms 3.7 Low2025-11-18
CVE-2025-55034 General Industrial Controls Lynx+ Gateway Weak Password Requirements — Lynx+ Gateway 8.2 High2025-11-14
CVE-2025-12552 Insufficient Password Policy — BLU-IC2 9.8 -2025-10-31
CVE-2025-11200 MLflow Weak Password Requirements Authentication Bypass Vulnerability — MLflow 9.8AICriticalAI2025-10-29
CVE-2025-12364 Weak Password Policy — BLU-IC2 9.8AICriticalAI2025-10-27
CVE-2025-11322 Mangati NovoSGA User Creation new weak password — NovoSGA 3.7 Low2025-10-06
CVE-2023-49883 IBM Transformation Extender Advanced information disclosure — Transformation Extender Advanced 5.9 Medium2025-10-01
CVE-2025-9964 Weak Authentication for Root User — P series (P07, P10, P12, P15) 6.8AIMediumAI2025-09-23
CVE-2025-10320 iteachyou Dreamer CMS updatePwd weak password — Dreamer CMS 3.1 Low2025-09-12
CVE-2025-9514 macrozheng mall Registration weak password — mall 3.7 Low2025-08-27
CVE-2025-55299 VaulTLS has a password-based login exploit in additional user accounts — VaulTLS 9.4 Critical2025-08-18
CVE-2025-8549 atjiu pybbs UserAdminController.java update weak password — pybbs 3.7 Low2025-08-05
CVE-2019-19145 Quantum SuperLoader 3 安全漏洞 — SuperLoader 5.8 Medium2025-08-01
CVE-2025-8182 Tenda AC18 Samba smb.conf weak password — AC18 5.6 Medium2025-07-26
CVE-2025-5022 Mitsubishi Electric PV-DR004J 安全漏洞 — PV-DR004J 6.5 Medium2025-07-10
CVE-2025-34058 Hikvision Streaming Media Management Server Default Credentials and Authenticated Arbitrary File Read — Streaming Media Management Server 6.5AIMediumAI2025-07-01
CVE-2024-22330 IBM Security Verify Governance information disclosure — Security Verify Governance 5.9 Medium2025-06-06
CVE-2025-48372 Schule Has Insecure OTP Length, is Susceptible to Brute-Force Attacks — Schule 9.8AICriticalAI2025-05-22

Vulnerabilities classified as CWE-521 (弱口令要求) represent 111 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.