CWE-1393
Use of Default Password
Description
The product uses default passwords for potentially critical functionality.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (21)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-26701 | Cri | 0.65 | 10.0 | 0.00 | Mar 11, 2025 | An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and… | ||
| CVE-2024-51555 | Cri | 0.65 | 10.0 | 0.00 | Dec 5, 2024 | Default Credentail vulnerabilities allows access to an Aspect device using publicly available default credentials since the system does not require the installer to change default credentials. Affected products: ABB ASPECT - Enterprise v3.07.02; NEXUS Series v3.07.02; … | ||
| CVE-2026-35075 | — | Cri | 0.64 | 9.8 | 0.00 | Jun 3, 2026 | An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices. | |
| CVE-2026-33784 | — | Cri | 0.64 | 9.8 | 0.00 | Apr 9, 2026 | A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high… | |
| CVE-2026-22886 | Cri | 0.64 | 9.8 | 0.00 | Mar 3, 2026 | OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login,… | ||
| CVE-2024-50588 | Cri | 0.64 | 9.8 | 0.01 | Nov 8, 2024 | An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. … | ||
| CVE-2024-30802 | — | Cri | 0.64 | 9.8 | 0.01 | May 14, 2024 | An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component. | |
| CVE-2024-29666 | — | Cri | 0.64 | 9.8 | 0.01 | Mar 25, 2024 | Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component. | |
| CVE-2025-26793 | Cri | 0.63 | — | 0.02 | Feb 15, 2025 | The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the… | ||
| CVE-2024-29021 | Cri | 0.59 | 9.0 | 0.20 | Apr 18, 2024 | Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code… | ||
| CVE-2026-2635 | Cri | 0.57 | 9.8 | 0.01 | Feb 20, 2026 | MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the… | ||
| CVE-2025-8077 | Cri | 0.57 | 9.8 | 0.01 | Sep 17, 2025 | A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could… | ||
| CVE-2024-43659 | Hig | 0.47 | 7.2 | 0.01 | Jan 9, 2025 | After gaining access to the firmware of a charging station, a file at can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers. This issue affects Iocharger firmware for AC models before firmware version 25010801. … | ||
| CVE-2024-36440 | Med | 0.44 | 6.8 | 0.00 | Aug 22, 2024 | An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the administrative device password via password-cracking methods, because unsalted MD5 is used. | ||
| CVE-2026-3186 | Med | 0.34 | 6.3 | 0.00 | Feb 25, 2026 | A vulnerability was determined in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this vulnerability is an unknown functionality of the file /api/admin/sys-user/reset/password/ of the component Password Reset Handler. This manipulation of the argument userId causes use… | ||
| CVE-2026-8672 | Med | 0.33 | 5.1 | 0.00 | May 22, 2026 | Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: before 25.3.0. | ||
| CVE-2025-9589 | Low | 0.16 | 2.5 | 0.00 | Aug 28, 2025 | A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this… | ||
| CVE-2026-54445 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Impact Vantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights - The initial password… | |||
| CVE-2026-4404 | 0.00 | — | 0.01 | Mar 23, 2026 | Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI. | |||
| CVE-2025-43799 | 0.00 | — | 0.00 | Sep 15, 2025 | Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their… |
- risk 0.65cvss 10.0epss 0.00
An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and…
- risk 0.65cvss 10.0epss 0.00
Default Credentail vulnerabilities allows access to an Aspect device using publicly available default credentials since the system does not require the installer to change default credentials. Affected products: ABB ASPECT - Enterprise v3.07.02; NEXUS Series v3.07.02; …
- risk 0.64cvss 9.8epss 0.00
An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.
- risk 0.64cvss 9.8epss 0.00
A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high…
- risk 0.64cvss 9.8epss 0.00
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login,…
- risk 0.64cvss 9.8epss 0.01
An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. …
- risk 0.64cvss 9.8epss 0.01
An issue in Vehicle Management System 7.31.0.3_20230412 allows an attacker to escalate privileges via the login.html component.
- risk 0.64cvss 9.8epss 0.01
Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component.
- risk 0.63cvss —epss 0.02
The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the…
- risk 0.59cvss 9.0epss 0.20
Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code…
- risk 0.57cvss 9.8epss 0.01
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the…
- risk 0.57cvss 9.8epss 0.01
A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could…
- risk 0.47cvss 7.2epss 0.01
After gaining access to the firmware of a charging station, a file at can be accessed to obtain default credentials that are the same across all Iocharger AC model EV chargers. This issue affects Iocharger firmware for AC models before firmware version 25010801. …
- risk 0.44cvss 6.8epss 0.00
An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the administrative device password via password-cracking methods, because unsalted MD5 is used.
- risk 0.34cvss 6.3epss 0.00
A vulnerability was determined in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this vulnerability is an unknown functionality of the file /api/admin/sys-user/reset/password/ of the component Password Reset Handler. This manipulation of the argument userId causes use…
- risk 0.33cvss 5.1epss 0.00
Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: before 25.3.0.
- risk 0.16cvss 2.5epss 0.00
A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this…
- CVE-2026-54445Jun 5, 2026risk 0.00cvss —epss 0.00
### Impact Vantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights - The initial password…
- CVE-2026-4404Mar 23, 2026risk 0.00cvss —epss 0.01
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
- CVE-2025-43799Sep 15, 2025risk 0.00cvss —epss 0.00
Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their…