Class weakness
Incomplete
Log in
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
Last updated
By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Hard-coded (i.e., static and unchangeable by the administrator) Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) Predictable (i.e., generated in a way that produces unique credentials across deployments/installations, but can still be guessed with reasonable efficiency) Previously Compromised (i.e., "leaked" credentials that were published as part of a data breach) Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks.
46 recorded CVEs are caused by CWE-1391 (Use of Weak Credentials). The highest-severity and most recent are shown first. 9 new CWE-1391 CVEs have been recorded so far in 2026 (18 in 2025).
Showing 12 of 46 recorded CWE-1391 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1391 vulnerabilitiesWhat can happen when CWE-1391 is exploited.
Bypass Protection Mechanism
Affects: Access Control
An adversary could bypass intended authentication restrictions.
Typically introduced during these phases of the software lifecycle.
Technologies
Practical mitigations for CWE-1391, grouped by where in the lifecycle they apply.
When the user changes or sets a password, check the password against a database of already compromised or breached passwords. These passwords are likely to be used in password guessing attacks.
Effectiveness: Moderate
Illustrative examples from MITRE showing how the weakness appears in code.
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple OT products used weak credentials.
Real CVEs that MITRE cites as examples of this weakness.
Common questions about CWE-1391.
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
46 recorded CVEs are attributed to CWE-1391, including CVE-2025-67114, CVE-2025-30519, CVE-2025-6077.
When the user changes or sets a password, check the password against a database of already compromised or breached passwords. These passwords are likely to be used in password guessing attacks.
Exploiting CWE-1391 can lead to: Bypass Protection Mechanism.
46 recorded CVEs are caused by CWE-1391; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-1391 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.