CWE · MITRE source
CWE-1188Initialization of a Resource with an Insecure Default
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (10)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CM-1 | Policy and Procedures | CM | Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines. |
CM-2 | Baseline Configuration | CM | Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults. |
CM-7 | Least Functionality | CM | Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities. |
SA-16 | Developer-provided Training | SA | Instruction on secure initialization of security controls prevents leaving resources with insecure defaults after installation. |
SA-4 | Acquisition Process | SA | Mandating secure configuration and initialization requirements in the acquisition process prevents delivery of products that initialize resources with insecure defaults. |
SA-5 | System Documentation | SA | Secure configuration and installation documentation prevents initialization of resources with insecure defaults. |
PL-11 | Baseline Tailoring | PL | Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment. |
PL-9 | Central Management | PL | Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system. |
PM-30 | Supply Chain Risk Management Strategy | PM | SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Scans detect resources initialized with insecure defaults that create exploitable conditions. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-13927 KEV | 9.6 | 9.8 | 0.9410 | 2020-11-10 |
CVE-2022-24706 KEV | 9.6 | 9.8 | 0.9437 | 2022-04-26 |
CVE-2023-27524 KEV | 8.8 | 8.9 | 0.8403 | 2023-04-24 |
CVE-2020-11532 | 7.3 | 9.8 | 0.8981 | 2020-05-08 |
CVE-2021-35336 | 7.1 | 9.8 | 0.8576 | 2021-07-01 |
CVE-2022-25568 | 6.6 | 7.5 | 0.8531 | 2022-03-24 |
CVE-2021-41192 | 6.4 | 8.1 | 0.7958 | 2021-11-24 |
CVE-2024-32114 | 6.1 | 8.5 | 0.7263 | 2024-05-02 |
CVE-2017-4971 | 5.7 | 5.9 | 0.7536 | 2017-06-13 |
CVE-2018-8014 | 5.3 | 9.8 | 0.5519 | 2018-05-16 |
CVE-2023-6448 KEV | 4.8 | 9.8 | 0.1329 | 2023-12-05 |
CVE-2018-16752 | 4.7 | 8.8 | 0.4874 | 2018-09-20 |
CVE-2020-14011 | 4.0 | 9.8 | 0.3383 | 2020-06-15 |
CVE-2021-38759 | 3.7 | 9.8 | 0.2973 | 2021-12-07 |
CVE-2025-48927 KEV | 3.6 | 5.3 | 0.0947 | 2025-05-28 |
CVE-2019-5367 | 3.2 | 9.8 | 0.2037 | 2019-06-05 |
CVE-2020-24365 | 2.6 | 8.8 | 0.1415 | 2020-09-24 |
CVE-2020-4001 | 2.6 | 9.8 | 0.0987 | 2020-11-24 |
CVE-2014-0234 | 2.5 | 9.8 | 0.0881 | 2020-02-12 |
CVE-2018-15685 | 2.4 | 8.1 | 0.1268 | 2018-08-23 |
CVE-2024-2912 | 2.4 | 10.0 | 0.0749 | 2024-04-16 |
CVE-2017-3834 | 2.3 | 9.8 | 0.0623 | 2017-04-06 |
CVE-2017-7964 | 2.2 | 10.0 | 0.0271 | 2017-04-19 |
CVE-2018-5770 | 2.2 | 9.8 | 0.0367 | 2018-03-20 |
CVE-2019-1804 | 2.2 | 9.8 | 0.0410 | 2019-05-03 |