CWE-521
Weak Password Requirements
Description
The product does not require that users should have strong passwords.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-112 · CAPEC-16 · CAPEC-49 · CAPEC-509 · CAPEC-55 · CAPEC-555 · CAPEC-561 · CAPEC-565 · CAPEC-70
CVEs mapped to this weakness (85)
page 2 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1000134 | — | Cri | 0.57 | 9.8 | 0.05 | Mar 16, 2018 | UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't… | |
| CVE-2025-9964 | Hig | 0.56 | — | 0.00 | Sep 23, 2025 | No password for the root user is set in Novakon P series. This allows phyiscal attackers to enter the console easily. This issue affects P series: P – V2001.A.C518o2 until P-2.0.05 Build 2026.02.06 (commit d0f97fd9). | ||
| CVE-2025-55299 | Cri | 0.54 | 9.4 | 0.00 | Aug 18, 2025 | VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty but not NULL password set, attackers can use this to login with an empty password. This is combined with that fact, that… | ||
| CVE-2025-55034 | Hig | 0.53 | 8.2 | 0.00 | Nov 15, 2025 | General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may allow an attacker to execute a brute-force attack resulting in unauthorized access and login. | ||
| CVE-2022-39997 | Hig | 0.52 | 8.0 | 0.00 | Aug 27, 2024 | A weak password requirement issue was discovered in Teldats Router RS123, RS123w allows a remote attacker to escalate privileges | ||
| CVE-2017-9818 | Hig | 0.49 | 7.5 | 0.01 | Aug 24, 2018 | The National Payments Corporation of India BHIM application 1.3 for Android relies on a four-digit passcode, which makes it easier for attackers to obtain access. | ||
| CVE-2018-0204 | Hig | 0.49 | 7.5 | 0.02 | Feb 22, 2018 | A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning Tool could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for individual users. The vulnerability is due to weak login controls. An attacker could exploit… | ||
| CVE-2026-33771 | Hig | 0.48 | 7.4 | 0.00 | Apr 9, 2026 | A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management… | ||
| CVE-2023-41923 | — | Hig | 0.47 | 7.2 | 0.00 | Jul 2, 2024 | The user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords. | |
| CVE-2018-1101 | Hig | 0.47 | 7.2 | 0.02 | May 2, 2018 | Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing… | ||
| CVE-2018-6312 | Hig | 0.47 | 7.2 | 0.01 | Mar 10, 2018 | A privileged account with a weak default password on the Foxconn femtocell FEMTO AP-FC4064-T version AP_GT_B38_5.8.3lb15-W47 LTE Build 15 can be used to turn on the TELNET service via the web interface, which allows root login without any password. This vulnerability will lead… | ||
| CVE-2017-6339 | Med | 0.46 | 6.5 | 0.04 | Apr 5, 2017 | Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to… | ||
| CVE-2025-67513 | Med | 0.45 | — | 0.00 | Dec 10, 2025 | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password… | ||
| CVE-2025-5022 | Med | 0.42 | 6.5 | 0.01 | Jul 10, 2025 | Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit… | ||
| CVE-2024-51398 | Med | 0.42 | 6.5 | 0.00 | Nov 1, 2024 | Altai Technologies Ltd Altai X500 Indoor 22 802.11ac Wave 2 AP web Management Weak password leakage in the background may lead to unauthorized access, data theft, and network attacks, seriously threatening network security. | ||
| CVE-2017-7306 | Med | 0.42 | 6.4 | 0.00 | Apr 4, 2017 | Riverbed RiOS through 9.6.0 has a weak default password for the secure vault, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism by leveraging knowledge of the password algorithm and the appliance serial number. NOTE: the… | ||
| CVE-2025-22228 | Hig | 0.41 | 7.4 | 0.01 | Mar 20, 2025 | BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. | ||
| CVE-2018-5389 | Med | 0.39 | 5.9 | 0.03 | Sep 6, 2018 | The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is… | ||
| CVE-2024-40684 | Med | 0.38 | 5.9 | 0.00 | May 27, 2026 | IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default,… | ||
| CVE-2019-19145 | Med | 0.38 | 5.8 | 0.00 | Aug 1, 2025 | Quantum SuperLoader 3 V94.0 005E.0h devices allow attackers to access the hardcoded fa account because there are only 65536 possible passwords. |
- risk 0.57cvss 9.8epss 0.05
UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't…
- risk 0.56cvss —epss 0.00
No password for the root user is set in Novakon P series. This allows phyiscal attackers to enter the console easily. This issue affects P series: P – V2001.A.C518o2 until P-2.0.05 Build 2026.02.06 (commit d0f97fd9).
- risk 0.54cvss 9.4epss 0.00
VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty but not NULL password set, attackers can use this to login with an empty password. This is combined with that fact, that…
- risk 0.53cvss 8.2epss 0.00
General Industrial Controls Lynx+ Gateway is vulnerable to a weak password requirement vulnerability, which may allow an attacker to execute a brute-force attack resulting in unauthorized access and login.
- risk 0.52cvss 8.0epss 0.00
A weak password requirement issue was discovered in Teldats Router RS123, RS123w allows a remote attacker to escalate privileges
- risk 0.49cvss 7.5epss 0.01
The National Payments Corporation of India BHIM application 1.3 for Android relies on a four-digit passcode, which makes it easier for attackers to obtain access.
- risk 0.49cvss 7.5epss 0.02
A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning Tool could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for individual users. The vulnerability is due to weak login controls. An attacker could exploit…
- risk 0.48cvss 7.4epss 0.00
A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management…
- risk 0.47cvss 7.2epss 0.00
The user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords.
- risk 0.47cvss 7.2epss 0.02
Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing…
- risk 0.47cvss 7.2epss 0.01
A privileged account with a weak default password on the Foxconn femtocell FEMTO AP-FC4064-T version AP_GT_B38_5.8.3lb15-W47 LTE Build 15 can be used to turn on the TELNET service via the web interface, which allows root login without any password. This vulnerability will lead…
- risk 0.46cvss 6.5epss 0.04
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to…
- risk 0.45cvss —epss 0.00
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password…
- risk 0.42cvss 6.5epss 0.01
Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit…
- risk 0.42cvss 6.5epss 0.00
Altai Technologies Ltd Altai X500 Indoor 22 802.11ac Wave 2 AP web Management Weak password leakage in the background may lead to unauthorized access, data theft, and network attacks, seriously threatening network security.
- risk 0.42cvss 6.4epss 0.00
Riverbed RiOS through 9.6.0 has a weak default password for the secure vault, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism by leveraging knowledge of the password algorithm and the appliance serial number. NOTE: the…
- risk 0.41cvss 7.4epss 0.01
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
- risk 0.39cvss 5.9epss 0.03
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is…
- risk 0.38cvss 5.9epss 0.00
IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default,…
- risk 0.38cvss 5.8epss 0.00
Quantum SuperLoader 3 V94.0 005E.0h devices allow attackers to access the hardcoded fa account because there are only 65536 possible passwords.