CWE-521
Weak Password Requirements
BaseDraft
Description
The product does not require that users should have strong passwords.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-112 · CAPEC-16 · CAPEC-49 · CAPEC-509 · CAPEC-55 · CAPEC-555 · CAPEC-561 · CAPEC-565 · CAPEC-70
CVEs mapped to this weakness (30)
page 1 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25715 | Cri | 0.64 | 9.8 | 0.00 | Feb 20, 2026 | The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials. | |
| CVE-2025-30127 | Cri | 0.64 | 9.8 | 0.00 | Aug 6, 2025 | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to command port 7777, and then downloading video via port 7778 and audio via port 7779. | |
| CVE-2025-25211 | Cri | 0.64 | 9.8 | 0.00 | Mar 31, 2025 | Weak password requirements issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a brute-force attack may allow an attacker unauthorized access and login. | |
| CVE-2024-3263 | Cri | 0.64 | 9.8 | 0.00 | May 14, 2024 | YMS VIS Pro is an information system for veterinary and food administration, veterinarians and farm. Due to a combination of improper method for system credentials generation and weak password policy, passwords can be easily guessed and enumerated through brute force attacks. Successful attacks can lead to unauthorised access and execution of operations based on assigned user permissions. This vulnerability affects VIS Pro in versions <= 3.3.0.6. This vulnerability has been mitigated by changes in authentication mechanisms and implementation of additional authentication layer and strong password policies. | |
| CVE-2026-6284 | Cri | 0.59 | 9.1 | 0.00 | Apr 17, 2026 | An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible. | |
| CVE-2026-41038 | Hig | 0.57 | 8.8 | 0.00 | Apr 21, 2026 | This vulnerability exists in Quantum Networks router due to lack of enforcement of strong password policies in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing password guessing or brute-force attacks against user accounts, leading to unauthorized access to the targeted device. | |
| CVE-2025-34058 | Hig | 0.57 | — | 0.03 | Jul 1, 2025 | Hikvision Streaming Media Management Server v2.3.5 uses default credentials that allow remote attackers to authenticate and access restricted functionality. After authenticating with these credentials, an attacker can exploit an arbitrary file read vulnerability in the /systemLog/downFile.php endpoint via directory traversal in the fileName parameter. This exploit chain can enable unauthorized access to sensitive system files. | |
| CVE-2024-25729 | Hig | 0.57 | 8.8 | 0.00 | Mar 8, 2024 | Arris SBG6580 devices have predictable default WPA2 security passwords that could lead to unauthorized remote access. (They use the first 6 characters of the SSID and the last 6 characters of the BSSID, decrementing the last octet.) | |
| CVE-2025-9964 | Hig | 0.56 | — | 0.00 | Sep 23, 2025 | No password for the root user is set in Novakon P series. This allows phyiscal attackers to enter the console easily. This issue affects P series: P – V2001.A.C518o2 until P-2.0.05 Build 2026.02.06 (commit d0f97fd9). | |
| CVE-2025-55299 | Cri | 0.54 | 9.4 | 0.00 | Aug 18, 2025 | VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty but not NULL password set, attackers can use this to login with an empty password. This is combined with that fact, that previously disabling the password based login only effected the frontend, but still allowed login via the API. This vulnerability is fixed in 0.9.1. | |
| CVE-2025-55034 | Hig | 0.53 | 8.2 | 0.00 | Nov 15, 2025 | General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may allow an attacker to execute a brute-force attack resulting in unauthorized access and login. | |
| CVE-2022-39997 | Hig | 0.52 | 8.0 | 0.01 | Aug 27, 2024 | A weak password requirement issue was discovered in Teldats Router RS123, RS123w allows a remote attacker to escalate privileges | |
| CVE-2026-33771 | Hig | 0.48 | 7.4 | 0.00 | Apr 9, 2026 | A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management menu enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option "Show password requirements". Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2. | |
| CVE-2023-41923 | Hig | 0.47 | 7.2 | 0.00 | Jul 2, 2024 | The user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords. | |
| CVE-2025-67513 | Med | 0.45 | — | 0.00 | Dec 10, 2025 | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10. | |
| CVE-2025-5022 | Med | 0.42 | 6.5 | 0.00 | Jul 10, 2025 | Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to derive the password from the SSID. In addition, if the product is configured to enable the individual air conditioner control function, an attacker who has access to the Wi-Fi communication between the units by exploiting this vulnerability may be able to execute ECHONET Lite commands to perform operations such as turning the air conditioner on or off and changing the set temperature. The individual air conditioner control function is available only in display unit version 02.00.01 or later and measurement unit version 02.03.01 or later. The affected products discontinued in 2015, support ended in 2020. | |
| CVE-2024-51398 | Med | 0.42 | 6.5 | 0.00 | Nov 1, 2024 | Altai Technologies Ltd Altai X500 Indoor 22 802.11ac Wave 2 AP web Management Weak password leakage in the background may lead to unauthorized access, data theft, and network attacks, seriously threatening network security. | |
| CVE-2019-19145 | Med | 0.38 | 5.8 | 0.00 | Aug 1, 2025 | Quantum SuperLoader 3 V94.0 005E.0h devices allow attackers to access the hardcoded fa account because there are only 65536 possible passwords. | |
| CVE-2025-8182 | Med | 0.36 | 5.6 | 0.00 | Jul 26, 2025 | A vulnerability has been found in Tenda AC18 15.03.05.19 and classified as problematic. This vulnerability affects unknown code of the file /etc_ro/smb.conf of the component Samba. The manipulation leads to weak password requirements. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | |
| CVE-2025-46742 | Med | 0.28 | 4.3 | 0.00 | May 12, 2025 | Users who were required to change their password could still access system information before changing their password |