VYPR

CWE-1188

Initialization of a Resource with an Insecure Default

BaseIncomplete

Description

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (144)

page 2 of 8
  • CVE-2017-8218CriApr 25, 2017
    risk 0.64cvss 9.8epss 0.02

    vsftpd on TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n has a backdoor admin account with the 1234 password, a backdoor guest account with the guest password, and a backdoor test account with the test password.

  • CVE-2017-3834CriApr 6, 2017
    risk 0.64cvss 9.8epss 0.04

    A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software could allow an unauthenticated, remote attacker to take complete control of an affected device. The vulnerability is due to the existence of default…

  • CVE-2025-7353CriAug 14, 2025
    risk 0.61cvss epss 0.01

    A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix® Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution…

  • CVE-2018-16752HigSep 20, 2018
    risk 0.61cvss 8.8epss 0.43

    LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.

  • CVE-2025-59097CriJan 26, 2026
    risk 0.60cvss epss 0.01

    The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the…

  • CVE-2025-59090CriJan 26, 2026
    risk 0.60cvss epss 0.01

    On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated…

  • CVE-2026-30805CriMay 12, 2026
    risk 0.59cvss 9.1epss 0.00

    Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800

  • CVE-2026-41679CriApr 23, 2026
    risk 0.58cvss 10.0epss 0.02

    Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with…

  • CVE-2024-2912CriApr 16, 2024
    risk 0.58cvss 10.0epss 0.01

    An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application.…

  • CVE-2018-8014CriMay 16, 2018
    risk 0.58cvss 9.8epss 0.22

    The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it…

  • CVE-2026-44109CriMay 6, 2026
    risk 0.57cvss 9.8epss 0.01

    OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting…

  • CVE-2026-6043HigApr 24, 2026
    risk 0.57cvss epss 0.00

    P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot…

  • CVE-2025-31930HigMay 13, 2025
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been identified in IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0) (All versions < V2.135), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0) (All versions < V2.135), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1) (All versions < V2.135), IEC 1Ph…

  • CVE-2024-8313HigMar 25, 2025
    risk 0.57cvss epss 0.00

    An Exposure of Sensitive System Information to an Unauthorized Control Sphere and Initialization of a Resource with an Insecure Default vulnerability in the SNMP component of B&R APROL <4.4-00P5 may allow an unauthenticated adjacent-based attacker to read and alter configuration…

  • CVE-2018-10605HigOct 1, 2018
    risk 0.57cvss 8.8epss 0.01

    Martem TELEM GW6/GWM versions prior to 2.0.87-4018403-k4 may allow unprivileged users to modify/upload a new system configuration or take the full control over the RTU using default credentials to connect to the RTU.

  • CVE-2018-1524HigAug 3, 2018
    risk 0.57cvss 8.8epss 0.02

    IBM Maximo Asset Management 7.6 through 7.6.3 installs with a default administrator account that a remote intruder could use to gain administrator access to the system. This vulnerability is due to an incomplete fix for CVE-2015-4966. IBM X-Force ID: 142116.

  • CVE-2017-12736HigDec 26, 2017
    risk 0.57cvss 8.8epss 0.01

    After initial configuration, the Ruggedcom Discovery Protocol (RCDP) is still able to write to the device under certain conditions. This could allow an attacker located in the adjacent network of the targeted device to perform unauthorized administrative actions.

  • CVE-2017-6692HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.02

    A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker to log in to the device with the privileges of the root user, aka an Insecure Default Account Information Vulnerability. More Information: CSCvd85710. Known Affected…

  • CVE-2017-6689HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user, aka an Insecure Default Administrator Credentials Vulnerability. More Information: CSCvc76661. Known Affected…

  • CVE-2017-6688HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.02

    A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user, aka an Insecure Default Password Vulnerability. More Information: CSCvc76631. Known Affected Releases: 2.2(9.76).