CWE-1327: Binding to an Unrestricted IP Address
The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.
Last updated
Overview
When a server binds to the address 0.0.0.0, it allows connections from every IP address on the local machine, effectively exposing the server to every possible network. This might be much broader access than intended by the developer or administrator, who might only be expecting the server to be reachable from a single interface/network.
Real-world CVEs
17 recorded CVEs are caused by CWE-1327 (Binding to an Unrestricted IP Address). The highest-severity and most recent are shown first. 5 new CWE-1327 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2023-1968Critical · CVSS 10.0 · EPSS 76th2023-04-28
- CVE-2026-24015
Apache IoTDB: Insecure Default Configuration Vulnerability
Critical · CVSS 9.8 · EPSS 44th2026-03-09 - CVE-2025-61934
AutomationDirect Productivity Suite Binding to an Unrestricted IP Address CWE-1327
Critical · CVSS 9.3 · EPSS 45th2025-10-23 - CVE-2026-0481Critical · CVSS 9.2 · EPSS 23th2026-05-15
- CVE-2026-42503
Accidental binding to INADDR_ANY might lead to RCE in golang.org/x/tools/gopls
High · CVSS 8.8 · EPSS 13th2026-05-06 - CVE-2023-41742High · CVSS 7.5 · EPSS 34th2023-08-31
- CVE-2025-55322
OmniParser Remote Code Execution Vulnerability
High · CVSS 7.3 · EPSS 27th2025-09-24 - CVE-2025-11538
Keycloak-server: debug default bind address
Medium · CVSS 6.8 · EPSS 32th2025-11-13 - CVE-2026-21528
Azure IoT Explorer Information Disclosure Vulnerability
Medium · CVSS 6.5 · EPSS 40th2026-02-10 - CVE-2026-28395
OpenClaw 2026.1.14-1 < 2026.2.12 - Unintended Public Binding of Chrome Extension Relay via Wildcard cdpUrl
Medium · CVSS 6.3 · EPSS 32th2026-03-05 - CVE-2023-5398Medium · CVSS 5.9 · EPSS 36th2024-04-17
- CVE-2024-47176
cups-browsed binds to `INADDR_ANY:631`, trusting any packet from any source
Medium · CVSS 5.3 · EPSS 99th2024-09-26
Showing 12 of 17 recorded CWE-1327 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1327 vulnerabilitiesCommon consequences
What can happen when CWE-1327 is exploited.
DoS: Amplification
Affects: Availability
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
Technologies
How to prevent it
Practical mitigations for CWE-1327, grouped by where in the lifecycle they apply.
Assign IP addresses that are not 0.0.0.0.
Effectiveness: High
Unwanted connections to the configured server may be denied through a firewall or other packet filtering measures.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code snippet uses 0.0.0.0 in a Puppet script.
Vulnerable example
"nightly-key-signing-server":Safe example
"nightly-key-signing-server":The Puppet code snippet is used to provision a signing server that will use 0.0.0.0 to accept traffic. However, as 0.0.0.0 is unrestricted, malicious users may use this IP address to launch frequent requests and cause denial of service attacks.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2023-41742 — cybersecurity product binds to an unrestricted IP address
- CVE-2022-21947 — Desktop manager for Kubernetes and container management binds a service to 0.0.0.0, allowing users on the network to make requests to a dashboard API.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1327.
- What is CWE-1327?
- The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.
- What CVEs are caused by CWE-1327?
- 17 recorded CVEs are attributed to CWE-1327, including CVE-2023-1968, CVE-2026-24015, CVE-2025-61934.
- How do you prevent CWE-1327?
- Assign IP addresses that are not 0.0.0.0.
- What are the consequences of CWE-1327?
- Exploiting CWE-1327 can lead to: DoS: Amplification.
- Is CWE-1327 actively exploited?
- 17 recorded CVEs are caused by CWE-1327; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1327) (opens in a new tab)
- CWE-1327 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1327
Get alerted the moment a new CWE-1327 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.