CWE-1392: Use of Default Credentials
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
扩展描述
It is common practice for products to be designed to use default keys, passwords, or other mechanisms for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.
常见后果
影响范围: Authentication
技术影响: Gain Privileges or Assume Identity
潜在缓解措施
阶段: Requirements
描述: Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
有效性: High
阶段: Architecture and Design
描述: Force the administrator to change the credential upon installation.
有效性: High
阶段: Installation Operation
描述: The product administrator could change the defaults upon installation or during operation.
有效性: Moderate
观察示例
参考: CVE-2022-30270
Remote Terminal Unit (RTU) uses default credentials for some SSH accounts
参考: CVE-2021-41192
data visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables
参考: CVE-2021-38759
microcontroller board has default password
参考: CVE-2018-3825
cloud cluster management product has a default master encryption key
参考: CVE-2010-2306
Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |