CWE-1391 Detail

CWE-1391

Use of Weak Credentials
Incomplete
2022-10-13
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Use of Weak Credentials

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

General Informations

Modes Of Introduction

Requirements
Architecture and Design
Installation
Operation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Class: ICS/OT (Undetermined)
Class: Not Technology-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
Access ControlBypass Protection Mechanism

Note: An adversary could bypass intended authentication restrictions.

Observed Examples

References Description

[REF-1374]

Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)

CVE-2022-30270

Remote Terminal Unit (RTU) uses default credentials for some SSH accounts

CVE-2022-29965

Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords

CVE-2022-30271

Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments

CVE-2021-38759

microcontroller board has default password, allowing admin access

CVE-2021-41192

data visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables

CVE-2020-8994

UART interface for AI speaker uses empty password for root shell

CVE-2020-27020

password manager does not generate cryptographically strong passwords, allowing prediction of passwords using guessable details such as time of generation

CVE-2020-8632

password generator for cloud application has small length value, making it easier for brute-force guessing

CVE-2020-5365

network-attached storage (NAS) system has predictable default passwords for a diagnostics/support account

CVE-2020-5248

IT asset management app has a default encryption key that is the same across installations

CVE-2018-3825

cloud cluster management product has a default master encryption key

CVE-2012-3503

Installation script has a hard-coded secret token value, allowing attackers to bypass authentication

CVE-2010-2306

Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic

CVE-2001-0618

Residential gateway uses the last 5 digits of the 'Network Name' or SSID as the default WEP key, which allows attackers to get the key by sniffing the SSID, which is sent in the clear

Potential Mitigations

Phases : Architecture and Design // Operation
When the user changes or sets a password, check the password against a database of already compromised or breached passwords. These passwords are likely to be used in password guessing attacks.

Vulnerability Mapping Notes

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

References

REF-1303

Researchers Out Default Passwords Packaged With ICS/SCADA Wares
Kelly Jackson Higgins.
https://www.darkreading.com/endpoint-security/researchers-out-default-passwords-packaged-with-ics-scada-wares

REF-1304

ICS Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01

REF-1283

OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs.
https://www.forescout.com/resources/ot-icefall-report/

REF-1374

Randstorm: You Can't Patch a House of Cards
Unciphered.
https://www.unciphered.com/disclosure-of-vulnerable-bitcoin-wallet-library-2/

REF-1488

Digital Identity Guidelines (SP 800-63B-4)
NIST.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf

REF-1514

Passwords, passwords everywhere
National Cyber Security Centre.
https://webarchive.nationalarchives.gov.uk/ukgwa/20221027140921/https://www.ncsc.gov.uk/pdfs/blog-post/passwords-passwords-everywhere.pdf

Submission

Name Organization Date Date release Version
CWE Content Team MITRE 2022-10-06 +00:00 2022-10-13 +00:00 4.9

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2023-01-31 +00:00 updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2024-02-29 +00:00 updated Observed_Examples, References
CWE Content Team MITRE 2024-11-19 +00:00 updated Observed_Examples
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Common_Consequences, Description, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.