CWE-1391: Use of Weak Credentials
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
观察示例
参考: [REF-1374]
Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)
参考: CVE-2022-30270
Remote Terminal Unit (RTU) uses default credentials for some SSH accounts
参考: CVE-2022-29965
Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords
参考: CVE-2022-30271
Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments
参考: CVE-2021-38759
microcontroller board has default password, allowing admin access
参考: CVE-2021-41192
data visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables
参考: CVE-2020-8994
UART interface for AI speaker uses empty password for root shell
参考: CVE-2020-27020
password manager does not generate cryptographically strong passwords, allowing prediction of passwords using guessable details such as time of generation
参考: CVE-2020-8632
password generator for cloud application has small length value, making it easier for brute-force guessing
参考: CVE-2020-5365
network-attached storage (NAS) system has predictable default passwords for a diagnostics/support account
参考: CVE-2020-5248
IT asset management app has a default encryption key that is the same across installations
参考: CVE-2018-3825
cloud cluster management product has a default master encryption key
参考: CVE-2012-3503
Installation script has a hard-coded secret token value, allowing attackers to bypass authentication
参考: CVE-2010-2306
Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic
参考: CVE-2001-0618
Residential gateway uses the last 5 digits of the 'Network Name' or SSID as the default WEP key, which allows attackers to get the key by sniffing the SSID, which is sent in the clear
引入模式
| 阶段 | 说明 |
|---|---|
| Requirements | - |
| Architecture and Design | - |
| Installation | - |
| Operation | - |
适用平台
编程语言
操作系统
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| ISA/IEC 62443 | Part 2-4 | Req SP.09.02 RE(1) | - |
| ISA/IEC 62443 | Part 4-1 | Req SR-3 b) | - |
| ISA/IEC 62443 | Part 4-1 | Req SI-2 b) | - |
| ISA/IEC 62443 | Part 4-1 | Req SI-2 d) | - |
| ISA/IEC 62443 | Part 4-1 | Req SG-3 d) | - |
| ISA/IEC 62443 | Part 4-1 | Req SG-6 b) | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.1 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.2 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.5 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.7 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.8 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.9 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.14 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 2.1 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 4.3 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 7.5 | - |