CWE · MITRE source
CWE-259Use of Hard-coded Password
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
There are two main variations of a hard-coded password:
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-5 | Authenticator Management | IA | Changing default authenticators prior to first use directly prevents use of hard-coded passwords. |
PM-16 | Threat Awareness Program | PM | Shared threat data frequently highlights products or deployments still using hard-coded passwords, enabling remediation that directly blocks credential-based attacks. |
SA-21 | Developer Screening | SA | Background checks and authorization requirements decrease the probability that a developer will hard-code passwords for later unauthorized access. |
SR-6 | Supplier Assessments and Reviews | SR | Reviews of supplier deliverables reduce the chance that hard-coded passwords are introduced into the system. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-7332 | 7.5 | 9.8 | 0.9211 | 2024-08-01 |
CVE-2023-5222 | 6.7 | 6.3 | 0.9024 | 2023-09-27 |
CVE-2025-57788 | 6.3 | 6.5 | 0.8312 | 2025-08-20 |
CVE-2025-8730 | 3.8 | 9.8 | 0.3021 | 2025-08-08 |
CVE-2023-2645 | 2.3 | 9.8 | 0.0624 | 2023-05-11 |
CVE-2025-1100 | 2.1 | 9.8 | 0.0185 | 2025-02-12 |
CVE-2016-9358 | 2.0 | 9.8 | 0.0054 | 2017-06-30 |
CVE-2017-6022 | 2.0 | 9.8 | 0.0053 | 2017-06-30 |
CVE-2015-3953 | 2.0 | 9.8 | 0.0025 | 2019-03-25 |
CVE-2014-5434 | 2.0 | 9.8 | 0.0025 | 2019-03-26 |
CVE-2020-12016 | 2.0 | 9.8 | 0.0021 | 2020-06-29 |
CVE-2020-12045 | 2.0 | 9.8 | 0.0028 | 2020-06-29 |
CVE-2020-12047 | 2.0 | 9.8 | 0.0028 | 2020-06-29 |
CVE-2021-27440 | 2.0 | 9.8 | 0.0027 | 2021-03-25 |
CVE-2019-10881 | 2.0 | 9.8 | 0.0048 | 2021-04-13 |
CVE-2021-22729 | 2.0 | 9.8 | 0.0035 | 2021-07-21 |
CVE-2021-38456 | 2.0 | 9.8 | 0.0022 | 2021-10-12 |
CVE-2021-34601 | 2.0 | 9.8 | 0.0041 | 2022-04-27 |
CVE-2017-20039 | 2.0 | 9.8 | 0.0040 | 2022-06-11 |
CVE-2022-30271 | 2.0 | 9.8 | 0.0020 | 2022-07-26 |
CVE-2022-22144 | 2.0 | 9.8 | 0.0038 | 2022-08-05 |
CVE-2022-41653 | 2.0 | 9.8 | 0.0027 | 2022-12-13 |
CVE-2022-45444 | 2.0 | 10.0 | 0.0057 | 2023-01-18 |
CVE-2024-28010 | 2.0 | 9.8 | 0.0040 | 2024-03-28 |
CVE-2024-27488 | 2.0 | 9.8 | 0.0044 | 2024-04-08 |