CWE · MITRE source
CWE-521Weak Password Requirements
The product does not require that users should have strong passwords.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (8)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-1 | Policy and Procedures | IA | IA policy establishes password requirements, directly addressing weak password requirements. |
IA-5 | Authenticator Management | IA | Ensuring authenticators have sufficient strength of mechanism for intended use addresses weak password requirements. |
PM-15 | Security and Privacy Groups and Associations | PM | Facilitated training and awareness of current practices improves definition and enforcement of sufficiently strong password requirements. |
PM-3 | Information Security and Privacy Resources | PM | Dedicated security resources support deployment of strong authentication systems and enforcement of robust password policies. |
CM-6 | Configuration Settings | CM | Configuration settings can define and enforce strong password requirements to avoid weak policies. |
PL-9 | Central Management | PL | Organization-wide password and authentication policies are applied uniformly, preventing weak local password requirements. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Vulnerability scans assess password policies and weak credential requirements against benchmarks. |
SA-5 | System Documentation | SA | User documentation on maintaining security includes password requirements, directly mitigating weak password policies. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2019-17444 | 7.5 | 9.8 | 0.9249 | 2020-10-12 |
CVE-2024-42850 | 4.9 | 9.8 | 0.4978 | 2024-08-16 |
CVE-2019-18988 KEV | 3.9 | 7.0 | 0.0763 | 2020-02-07 |
CVE-2017-3186 | 2.6 | 9.8 | 0.0987 | 2017-12-16 |
CVE-2023-37756 | 2.4 | 9.8 | 0.0664 | 2023-09-14 |
CVE-2017-12861 | 2.2 | 9.8 | 0.0372 | 2017-10-10 |
CVE-2024-48845 | 2.2 | 9.4 | 0.0547 | 2024-12-05 |
CVE-2018-1000134 | 2.1 | 9.8 | 0.0168 | 2018-03-16 |
CVE-2020-29591 | 2.1 | 9.8 | 0.0266 | 2020-12-11 |
CVE-2022-45482 | 2.1 | 9.8 | 0.0186 | 2022-12-02 |
CVE-2017-1196 | 2.0 | 9.8 | 0.0031 | 2017-06-07 |
CVE-2017-7903 | 2.0 | 9.8 | 0.0023 | 2017-06-30 |
CVE-2017-9853 | 2.0 | 9.8 | 0.0033 | 2017-08-05 |
CVE-2017-1221 | 2.0 | 9.8 | 0.0026 | 2017-11-13 |
CVE-2017-14189 | 2.0 | 9.8 | 0.0054 | 2017-11-29 |
CVE-2018-1372 | 2.0 | 9.8 | 0.0031 | 2018-02-27 |
CVE-2017-1601 | 2.0 | 9.8 | 0.0050 | 2018-05-02 |
CVE-2018-12925 | 2.0 | 9.8 | 0.0028 | 2018-06-28 |
CVE-2018-19064 | 2.0 | 9.8 | 0.0080 | 2018-11-07 |
CVE-2018-15719 | 2.0 | 9.8 | 0.0016 | 2018-12-12 |
CVE-2019-7674 | 2.0 | 9.8 | 0.0041 | 2019-02-09 |
CVE-2019-9123 | 2.0 | 9.8 | 0.0056 | 2019-02-25 |
CVE-2019-9950 | 2.0 | 9.8 | 0.0019 | 2019-04-24 |
CVE-2019-13918 | 2.0 | 9.8 | 0.0048 | 2019-09-13 |
CVE-2019-3758 | 2.0 | 9.8 | 0.0047 | 2019-09-18 |