CWE-1391
Use of Weak Credentials
Description
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
Hierarchy (View 1000)
CVEs mapped to this weakness (35)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-47325 | Med | 0.45 | — | 0.00 | Jun 3, 2026 | ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first… | ||
| CVE-2024-42027 | Med | 0.44 | 6.7 | 0.01 | Oct 7, 2024 | The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources. | ||
| CVE-2024-33849 | Med | 0.42 | 6.5 | 0.00 | May 28, 2024 | ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key. | ||
| CVE-2024-21865 | Med | 0.42 | 6.5 | 0.00 | Mar 25, 2024 | HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may connect to the product via SSH and use a shell. | ||
| CVE-2024-11717 | Med | 0.41 | — | 0.01 | Jan 2, 2025 | Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might… | ||
| CVE-2026-4377 | Med | 0.39 | — | 0.00 | May 28, 2026 | Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number. This issue was fixed in… | ||
| CVE-2026-45363 | hig | 0.39 | — | 0.00 | May 18, 2026 | `JWT.decode(token, '', true, algorithm: 'HS256')` accepts an attacker-forged token. `OpenSSL::HMAC.digest('SHA256', '', payload)` returns a valid digest under an empty key, and no `raise InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm. ```… | ||
| CVE-2025-22936 | Med | 0.37 | 5.7 | 0.00 | Feb 6, 2025 | An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password generation algorithm in WiFi routers. | ||
| CVE-2026-24449 | Med | 0.30 | 4.6 | 0.00 | Feb 3, 2026 | For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information. | ||
| CVE-2025-4057 | Med | 0.29 | 5.5 | 0.00 | May 26, 2025 | A flaw was found in ActiveMQ Artemis. The password generated by activemq-artemis-operator does not regenerate between separated CR dependencies. | ||
| CVE-2025-32471 | — | Low | 0.24 | 3.7 | 0.00 | Apr 28, 2025 | The device’s passwords have not been adequately salted, making them vulnerable to password extraction attacks. | |
| CVE-2025-1081 | Low | 0.20 | 3.1 | 0.00 | Feb 6, 2025 | A vulnerability was found in Bharti Airtel Xstream Fiber up to 20250123. It has been rated as problematic. This issue affects some unknown processing of the component WiFi Password Handler. The manipulation leads to use of weak credentials. The attack needs to be done within the… | ||
| CVE-2024-7558 | 0.00 | — | 0.01 | Oct 2, 2024 | JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the… | |||
| CVE-2023-37266 | — | 0.00 | — | 0.06 | Jul 17, 2023 | CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs… | ||
| CVE-2014-7845 | 0.00 | — | 0.02 | Nov 24, 2014 | The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack. |
- risk 0.45cvss —epss 0.00
ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first…
- risk 0.44cvss 6.7epss 0.01
The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources.
- risk 0.42cvss 6.5epss 0.00
ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key.
- risk 0.42cvss 6.5epss 0.00
HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may connect to the product via SSH and use a shell.
- risk 0.41cvss —epss 0.01
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might…
- risk 0.39cvss —epss 0.00
Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number. This issue was fixed in…
- risk 0.39cvss —epss 0.00
`JWT.decode(token, '', true, algorithm: 'HS256')` accepts an attacker-forged token. `OpenSSL::HMAC.digest('SHA256', '', payload)` returns a valid digest under an empty key, and no `raise InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm. ```…
- risk 0.37cvss 5.7epss 0.00
An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password generation algorithm in WiFi routers.
- risk 0.30cvss 4.6epss 0.00
For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information.
- risk 0.29cvss 5.5epss 0.00
A flaw was found in ActiveMQ Artemis. The password generated by activemq-artemis-operator does not regenerate between separated CR dependencies.
- risk 0.24cvss 3.7epss 0.00
The device’s passwords have not been adequately salted, making them vulnerable to password extraction attacks.
- risk 0.20cvss 3.1epss 0.00
A vulnerability was found in Bharti Airtel Xstream Fiber up to 20250123. It has been rated as problematic. This issue affects some unknown processing of the component WiFi Password Handler. The manipulation leads to use of weak credentials. The attack needs to be done within the…
- CVE-2024-7558Oct 2, 2024risk 0.00cvss —epss 0.01
JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the…
- CVE-2023-37266Jul 17, 2023risk 0.00cvss —epss 0.06
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs…
- CVE-2014-7845Nov 24, 2014risk 0.00cvss —epss 0.02
The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.