CWE-1188: Initialization of a Resource with an Insecure Default
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Last updated
Overview
CWE-1188 (Initialization of a Resource with an Insecure Default) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
149 recorded CVEs are caused by CWE-1188 (Initialization of a Resource with an Insecure Default), including 4 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 53 new CWE-1188 CVEs have been recorded so far in 2026 (40 in 2025).
- CVE-2023-27524CISA KEV
Apache Superset: Session validation vulnerability when using provided default SECRET_KEY
Critical · CVSS 10.0 · EPSS 100th2023-04-24 - CVE-2022-24706CISA KEV
Remote Code Execution Vulnerability in Packaging
Critical · CVSS 10.0 · EPSS 100th2022-04-26 - CVE-2023-6448CISA KEV
Unitronics VisiLogic uses a default administrative password
Critical · CVSS 9.3 · EPSS 79th2023-12-05 - CVE-2025-48927CISA KEVHigh · CVSS 8.7 · EPSS 94th2025-05-28
- CVE-2026-31957
Himmelblau unset domain configuration can allow any-tenant authentication at first login for remote deployments
Critical · CVSS 10.0 · EPSS 40th2026-03-11 - CVE-2026-28775
Unauthenticated RCE via SNMP Default Writable Community String
Critical · CVSS 10.0 · EPSS 65th2026-03-04 - CVE-2025-41672
WAGO: Vulnerability in WAGO Device Sphere
Critical · CVSS 10.0 · EPSS 27th2025-07-07 - CVE-2024-0001Critical · CVSS 10.0 · EPSS 54th2024-09-23
- CVE-2024-2912Critical · CVSS 10.0 · EPSS 71th2024-04-16
- CVE-2026-31818
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical · CVSS 9.9 · EPSS 30th2026-04-03 - CVE-2025-70998Critical · CVSS 9.8 · EPSS 34th2026-02-18
- CVE-2025-62877
Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer
Critical · CVSS 9.8 · EPSS 38th2026-01-08
Showing 12 of 149 recorded CWE-1188 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1188 vulnerabilitiesCommon consequences
What can happen when CWE-1188 is exploited.
Varies by Context
Affects: Other
The impact of insecure defaults varies widely depending on the functionality that the product controls.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code attempts to login a user using credentials from a POST request:
Safe example
...
$user = $_POST['user'];Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-36349 — insecure default variable initialization in BIOS firmware for a hardware board allows DoS
- CVE-2022-42467 — A generic database browser interface has a default mode that exposes a web server to the network, allowing queries to the database.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1188.
- What is CWE-1188?
- The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
- What CVEs are caused by CWE-1188?
- 149 recorded CVEs are attributed to CWE-1188, including CVE-2023-27524, CVE-2022-24706, CVE-2023-6448. 4 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How is CWE-1188 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1188?
- Exploiting CWE-1188 can lead to: Varies by Context.
- Is CWE-1188 actively exploited?
- Yes. 4 CWE-1188 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 149 recorded CVEs.
References
- MITRE CWE definition (CWE-1188) (opens in a new tab)
- CWE-1188 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1188
Get alerted the moment a new CWE-1188 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.