CWE · MITRE source
CWE-1391Use of Weak Credentials
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (2)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-5 | Authenticator Management | IA | Ensuring sufficient strength of mechanism for authenticators prevents use of weak credentials. |
IA-7 | Cryptographic Module Authentication | IA | Enforces use of credentials that comply with standards rather than weak credentials for module access. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-51978 | 5.2 | 9.8 | 0.5360 | 2025-06-25 |
CVE-2025-53558 | 2.5 | 8.8 | 0.1308 | 2025-07-31 |
CVE-2024-43698 | 2.0 | 9.8 | 0.0019 | 2024-10-22 |
CVE-2024-12728 | 2.0 | 9.8 | 0.0022 | 2024-12-19 |
CVE-2025-6077 | 2.0 | 9.8 | 0.0008 | 2025-08-02 |
CVE-2025-30519 | 2.0 | 9.8 | 0.0006 | 2025-09-18 |
CVE-2026-22886 | 2.0 | 9.8 | 0.0020 | 2026-03-03 |
CVE-2025-67114 | 2.0 | 9.8 | 0.0046 | 2026-03-19 |
CVE-2026-39920 | 2.0 | 9.8 | 0.0026 | 2026-04-24 |
CVE-2024-29071 | 1.8 | 8.8 | 0.0006 | 2024-03-25 |
CVE-2024-28066 | 1.8 | 8.8 | 0.0004 | 2024-04-08 |
CVE-2024-40892 | 1.8 | 7.1 | 0.0554 | 2024-08-12 |
CVE-2024-7558 | 1.8 | 8.7 | 0.0020 | 2024-10-02 |
CVE-2023-31240 | 1.7 | 8.3 | 0.0007 | 2023-05-22 |
CVE-2026-23853 | 1.7 | 8.4 | 0.0001 | 2026-04-17 |
CVE-2023-0635 | 1.6 | 7.8 | 0.0015 | 2023-06-05 |
CVE-2023-48257 | 1.6 | 7.8 | 0.0064 | 2024-01-10 |
CVE-2024-42051 | 1.6 | 7.8 | 0.0004 | 2024-07-28 |
CVE-2024-45272 | 1.6 | 7.5 | 0.0102 | 2024-10-15 |
CVE-2022-3010 | 1.5 | 7.5 | 0.0013 | 2024-01-02 |
CVE-2024-45722 | 1.5 | 7.5 | 0.0015 | 2024-12-06 |
CVE-2024-52331 | 1.5 | 7.5 | 0.0008 | 2025-01-23 |
CVE-2025-2229 | 1.5 | 7.7 | 0.0003 | 2025-03-13 |
CVE-2025-52364 | 1.5 | 7.5 | 0.0036 | 2025-07-09 |
CVE-2025-6523 | 1.5 | 7.7 | 0.0014 | 2025-07-22 |