CWE-1393: Use of Default Password

Base Incomplete Simple

CWE版本: 4.18

更新日期: 2025-09-09

弱点描述

The product uses default passwords for potentially critical functionality.

扩展描述

It is common practice for products to be designed to use default passwords for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, then it makes it easier for attackers to quickly bypass authentication across multiple organizations. There are many lists of default passwords and default-password scanning tools that are easily available from the World Wide Web.

常见后果

影响范围: Authentication

技术影响: Gain Privileges or Assume Identity

潜在缓解措施

阶段: Requirements

描述: Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

有效性: High

阶段: Documentation

描述: Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.

有效性: Limited

阶段: Architecture and Design

描述: Force the administrator to change the credential upon installation.

有效性: High

阶段: Installation Operation

描述: The product administrator could change the defaults upon installation or during operation.

有效性: Moderate

观察示例

参考: CVE-2022-30270

Remote Terminal Unit (RTU) uses default credentials for some SSH accounts

参考: CVE-2022-2336

OPC Unified Architecture (OPC UA) industrial automation product has a default password

参考: CVE-2021-38759

microcontroller board has default password

参考: CVE-2021-44480

children's smart watch has default passwords allowing attackers to send SMS commands and listen to the device's surroundings

参考: CVE-2020-11624

surveillance camera has default password for the admin account

参考: CVE-2018-15719

medical dental records product installs a MySQL database with a blank default password

参考: CVE-2014-9736

healthcare system for archiving patient images has default passwords for key management and storage databases

参考: CVE-2000-1209

database product installs admin account with default null password, allowing privileges, as exploited by various worms

引入模式

阶段	说明
Architecture and Design	-

适用平台

编程语言

Not Language-Specific (Undetermined)

操作系统

Not OS-Specific (Undetermined)

技术

Not Technology-Specific (Undetermined) ICS/OT (Undetermined)

关键信息

CWE ID: CWE-1393

抽象级别: Base

结构: Simple

状态: Incomplete