CWE-1392
Use of Default Credentials
BaseIncomplete
Description
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
It is common practice for products to be designed to use
default keys, passwords, or other mechanisms for
authentication. The rationale is to simplify the
manufacturing process or the system administrator's task of
installation and deployment into an enterprise. However, if
admins do not change the defaults, it is easier for attackers
to bypass authentication quickly across multiple
organizations.
Hierarchy (View 1000)
CVEs mapped to this weakness (47)
page 1 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-55051 | Cri | 0.65 | 10.0 | 0.00 | Sep 9, 2025 | CWE-1392: Use of Default Credentials | |
| CVE-2026-22886 | Cri | 0.64 | 9.8 | 0.00 | Mar 3, 2026 | OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features. | |
| CVE-2022-50803 | Cri | 0.64 | 9.8 | 0.00 | Dec 30, 2025 | JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges. | |
| CVE-2025-10542 | Cri | 0.64 | 9.8 | 0.00 | Sep 25, 2025 | iMonitor EAM 9.6394 ships with default administrative credentials that are also displayed within the management client’s connection dialog. If the administrator does not change these defaults, a remote attacker can authenticate to the EAM server and gain full control over monitored agents and data. This enables reading highly sensitive telemetry (including keylogger output) and issuing arbitrary actions to all connected clients. | |
| CVE-2025-8731 | Cri | 0.64 | 9.8 | 0.00 | Aug 8, 2025 | A vulnerability was identified in TRENDnet TI-G160i, TI-PG102i and TPL-430AP up to 20250724. This affects an unknown part of the component SSH Service. The manipulation leads to use of default credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains: "For product TI-PG102i and TI-G160i, by default, the product's remote management options are all disabled. The root account is for troubleshooting purpose and the password is encrypted. However, we will remove the root account from the next firmware release. For product TPL-430AP, the initial setup process requires user to set the password for the management GUI. Once that was done, the default password will be invalid." | |
| CVE-2024-12286 | Cri | 0.64 | 9.8 | 0.00 | Dec 10, 2024 | MOBATIME Network Master Clock - DTS 4801 allows attackers to use SSH to gain initial access using default credentials. | |
| CVE-2026-7428 | Cri | 0.60 | — | 0.00 | May 12, 2026 | Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it. | |
| CVE-2025-59108 | Cri | 0.60 | — | 0.00 | Jan 26, 2026 | By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced. | |
| CVE-2021-47707 | Cri | 0.60 | — | 0.00 | Dec 9, 2025 | COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream. Attackers can exploit this by sending a POST request with the 'passkey' parameter set to '1234', allowing them to access the web control panel. | |
| CVE-2025-12592 | Cri | 0.60 | — | 0.00 | Nov 19, 2025 | Legacy Vivotek Device firmware uses default credetials for the root and user login accounts. | |
| CVE-2023-27573 | Cri | 0.59 | 9.0 | 0.00 | Mar 11, 2026 | netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment. | |
| CVE-2025-29629 | Cri | 0.59 | 9.1 | 0.00 | Jul 25, 2025 | Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 use weak default credentials for secure shell access. This may result in attackers gaining access to exposed Gardyn Home Kits. | |
| CVE-2026-42072 | Cri | 0.57 | 9.8 | 0.00 | May 8, 2026 | Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database — with its default admin:password credentials — to any device sharing the network. This issue has been patched in version 1.0.42-hotfix. | |
| CVE-2025-7740 | Hig | 0.57 | — | 0.00 | Jan 28, 2026 | Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment. | |
| CVE-2025-6529 | Hig | 0.57 | 8.8 | 0.01 | Jun 23, 2025 | A vulnerability was found in 70mai M300 up to 20250611 and classified as critical. Affected by this issue is some unknown functionality of the component Telnet Service. The manipulation leads to use of default credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2024-28093 | Hig | 0.57 | 8.8 | 0.00 | Mar 26, 2024 | The TELNET service of AdTran NetVanta 3120 18.01.01.00.E devices is enabled by default, and has default credentials for a root-level account. | |
| CVE-2025-54756 | Hig | 0.55 | 8.4 | 0.00 | Feb 12, 2026 | BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 use a default password that is guessable with knowledge of the device information. The latest release fixes this issue for new installations; users of old installations are encouraged to change all default passwords. | |
| CVE-2024-12902 | Hig | 0.55 | 8.4 | 0.00 | Dec 23, 2024 | ANCHOR from Global Wisdom Software is an integrated product running on a Windows virtual machine. The underlying Windows OS of the product contains high-privilege service accounts. If these accounts use default passwords, attackers could remotely log in to the virtual machine using the default credentials. | |
| CVE-2024-4622 | Hig | 0.54 | — | 0.00 | May 15, 2024 | If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface protected by authentication. If the default credentials are not changed, an attacker can use public knowledge to access the device as an administrator. | |
| CVE-2026-1803 | Hig | 0.53 | 8.1 | 0.00 | Feb 3, 2026 | A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |