CWE-1188
Initialization of a Resource with an Insecure Default
BaseIncomplete
Description
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (81)
page 4 of 5| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-41713 | Med | 0.42 | 6.5 | 0.00 | Sep 15, 2025 | During a short time frame while the device is booting an unauthenticated remote attacker can send traffic to unauthorized networks due to the switch operating in an undefined state until a CPU-induced reset allows proper configuration. | |
| CVE-2019-25219 | Hig | 0.42 | 7.5 | 0.00 | Oct 29, 2024 | Asio C++ Library before 1.13.0 lacks a fallback error code in the case of SSL_ERROR_SYSCALL with no associated error information from the SSL library being used. | |
| CVE-2026-2617 | Med | 0.41 | 6.3 | 0.00 | Feb 17, 2026 | A vulnerability was found in Beetel 777VR1 up to 01.00.09. This affects an unknown function of the component Telnet Service/SSH Service. The manipulation results in insecure default initialization of resource. The attack can only be performed from the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2017-8039 | Med | 0.38 | 5.9 | 0.00 | Nov 27, 2017 | An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971. | |
| CVE-2025-46599 | Med | 0.37 | 6.8 | 0.00 | Apr 25, 2025 | CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials. | |
| CVE-2025-2129 | Med | 0.37 | 5.6 | 0.07 | Mar 9, 2025 | A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecure default initialization of resource. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. After 7 months of repeated follow-ups by the researcher, Mage AI has decided to not accept this issue as a valid security vulnerability and has confirmed that they will not be addressing it. | |
| CVE-2025-14758 | Med | 0.35 | 6.5 | 0.00 | Dec 16, 2025 | Incorrect configuration of replication security in the MariaDB component of the infra-operator in YAOOK Operator allows an on-path attacker to read database contents, potentially including credentials | |
| CVE-2025-52622 | Med | 0.35 | 5.4 | 0.00 | Dec 2, 2025 | The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting (XSS), Clickjacking, and protocol downgrade attacks. | |
| CVE-2017-5491 | Med | 0.35 | 5.3 | 0.02 | Jan 15, 2017 | wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. | |
| CVE-2026-41931 | Med | 0.34 | 5.3 | 0.00 | May 6, 2026 | Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests. | |
| CVE-2026-1675 | Med | 0.34 | 5.3 | 0.00 | Feb 7, 2026 | The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value. | |
| CVE-2024-41975 | Med | 0.34 | 5.3 | 0.00 | Mar 18, 2025 | An unauthenticated remote attacker can gain limited information of the PLC network but the user management of the PLCs prevents the actual access to the PLCs. | |
| CVE-2024-5801 | Med | 0.34 | — | 0.00 | Aug 12, 2024 | Enabled IP Forwarding feature in B&R Automation Runtime versions before 6.0.2 may allow remote attack-ers to compromise network security by routing IP-based packets through the host, potentially by-passing firewall, router, or NAC filtering. | |
| CVE-2025-41245 | Med | 0.32 | 4.9 | 0.00 | Sep 29, 2025 | VMware Aria Operations contains an information disclosure vulnerability. A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations. | |
| CVE-2025-2441 | Med | 0.30 | 4.6 | 0.00 | Apr 9, 2025 | CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could lead to loss of confidentiality when a malicious user, having physical access, sets the radio in factory default mode where the product does not correctly initialize all data. | |
| CVE-2025-53602 | Med | 0.27 | 5.3 | 0.00 | Jul 4, 2025 | Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927. | |
| CVE-2025-31974 | Low | 0.25 | 3.9 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes. | |
| CVE-2025-59044 | Med | 0.22 | 4.4 | 0.00 | Sep 9, 2025 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau 0.9.x derives numeric GIDs for Entra ID groups from the group display name when himmelblau.conf `id_attr_map = name` (the default configuration). Because Microsoft Entra ID allows multiple groups with the same `displayName` (including end-user–created personal/O365 groups, depending on tenant policy), distinct directory groups can collapse to the same numeric GID on Linux. This issue only applies to Himmelblau versions 0.9.0 through 0.9.22. Any resource or service on a Himmelblau-joined host that enforces authorization by numeric GID (files/dirs, etc.) can be unintentionally accessible to a user who creates or joins a different Entra/O365 group that happens to share the same `displayName` as a privileged security group. Users should upgrade to 0.9.23, or 1.0.0 or later, to receive a patch. Group to GID mapping now uses Entra ID object IDs (GUIDs) and does not collide on same-name groups. As a workaround, use tenant policy hardening to restrict arbitrary group creation until all hosts are patched. | |
| CVE-2024-56433 | Low | 0.17 | 3.6 | 0.05 | Dec 26, 2024 | shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. | |
| CVE-2024-34063 | Low | 0.09 | 2.5 | 0.00 | May 3, 2024 | vodozemac is an implementation of Olm and Megolm in pure Rust. Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag and defaulted this feature to off. The degraded zeroization capabilities could result in the production of more memory copies of encryption secrets and secrets could linger in memory longer than necessary. This marginally increases the risk of sensitive data exposure. This issue has been addressed in version 0.6.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. |