VYPR

CWE-1393

Use of Default Password

BaseIncomplete

Description

The product uses default passwords for potentially critical functionality.

It is common practice for products to be designed to use default passwords for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, then it makes it easier for attackers to quickly bypass authentication across multiple organizations. There are many lists of default passwords and default-password scanning tools that are easily available from the World Wide Web.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (21)

page 1 of 2
  • CVE-2025-26701CriMar 11, 2025
    risk 0.65cvss 10.0epss 0.00

    An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and…

  • CVE-2024-51555CriDec 5, 2024
    risk 0.65cvss 10.0epss 0.00

    Default Credentail vulnerabilities allows access to an Aspect device using publicly available default credentials since the system does not require the installer to change default credentials.  Affected products: ABB ASPECT - Enterprise v3.07.02; NEXUS Series v3.07.02; …

  • CVE-2026-35075CriJun 3, 2026
    risk 0.64cvss 9.8epss 0.00

    An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

  • CVE-2026-33784CriApr 9, 2026
    risk 0.64cvss 9.8epss 0.00

    A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high…

  • CVE-2026-22886CriMar 3, 2026
    risk 0.64cvss 9.8epss 0.00

    OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login,…

  • CVE-2024-50588CriNov 8, 2024
    risk 0.64cvss 9.8epss 0.01

    An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. …

  • CVE-2024-30802CriMay 14, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component.

  • CVE-2024-29666CriMar 25, 2024
    risk 0.64cvss 9.8epss 0.01

    Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component.

  • CVE-2025-26793CriFeb 15, 2025
    risk 0.63cvss epss 0.02

    The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the…

  • CVE-2024-29021CriApr 18, 2024
    risk 0.59cvss 9.0epss 0.20

    Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code…

  • CVE-2026-2635CriFeb 20, 2026
    risk 0.57cvss 9.8epss 0.01

    MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the…

  • CVE-2025-8077CriSep 17, 2025
    risk 0.57cvss 9.8epss 0.01

    A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could…

  • CVE-2024-43659HigJan 9, 2025
    risk 0.47cvss 7.2epss 0.01

    After gaining access to the firmware of a charging station, a file at can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers. This issue affects Iocharger firmware for AC models before firmware version 25010801. …

  • CVE-2024-36440MedAug 22, 2024
    risk 0.44cvss 6.8epss 0.00

    An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the administrative device password via password-cracking methods, because unsalted MD5 is used.

  • CVE-2026-3186MedFeb 25, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was determined in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this vulnerability is an unknown functionality of the file /api/admin/sys-user/reset/password/ of the component Password Reset Handler. This manipulation of the argument userId causes use…

  • CVE-2026-8672MedMay 22, 2026
    risk 0.33cvss 5.1epss 0.00

    Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: before 25.3.0.

  • CVE-2025-9589LowAug 28, 2025
    risk 0.16cvss 2.5epss 0.00

    A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this…

  • CVE-2026-54445Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Impact Vantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights - The initial password…

  • CVE-2026-4404Mar 23, 2026
    risk 0.00cvss epss 0.01

    Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

  • CVE-2025-43799Sep 15, 2025
    risk 0.00cvss epss 0.00

    Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their…