Log inLog in

Base weakness

Incomplete

CWE-1393: Use of Default Password

The product uses default passwords for potentially critical functionality.

Last updated May 1, 2026

34

Recorded CVEs

With this primary weakness

1

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

It is common practice for products to be designed to use default passwords for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, then it makes it easier for attackers to quickly bypass authentication across multiple organizations. There are many lists of default passwords and default-password scanning tools that are easily available from the World Wide Web.

Real-world CVEs

34 recorded CVEs are caused by CWE-1393 (Use of Default Password), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 8 new CWE-1393 CVEs have been recorded so far in 2026 (14 in 2025).

CVE-2025-26793

Critical · CVSS 10.0 · EPSS 96th

2025-02-15

CVE-2024-51555

Force Change of Default Credentials

Critical · CVSS 10.0 · EPSS 40th

2024-12-05

CVE-2026-35075

Hardcoded default Password for Service Account

Critical · CVSS 9.8 · EPSS 29th

2026-06-03

CVE-2026-33784

JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access

Critical · CVSS 9.8 · EPSS 19th

2026-04-09

CVE-2026-2635

MLflow Use of Default Password Authentication Bypass Vulnerability

Critical · CVSS 9.8 · EPSS 82th

2026-02-20

CVE-2025-8077

NeuVector admin account has insecure default password

Critical · CVSS 9.8 · EPSS 27th

2025-09-17

CVE-2025-27690

Critical · CVSS 9.8 · EPSS 68th

2025-04-10

CVE-2025-22938

Critical · CVSS 9.8 · EPSS 54th

2025-03-31

CVE-2024-30802

Critical · CVSS 9.8 · EPSS 59th

2024-05-10

CVE-2024-29666

Critical · CVSS 9.8 · EPSS 55th

2024-03-25

Showing 12 of 34 recorded CWE-1393 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-1393 vulnerabilities

Common consequences

What can happen when CWE-1393 is exploited.

Gain Privileges or Assume Identity

Affects: Authentication

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Applies to

Technologies

ICS/OT

How to prevent it

Practical mitigations for CWE-1393, grouped by where in the lifecycle they apply.

Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Effectiveness: High

Documentation

Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.

Effectiveness: Limited

Architecture and Design

Force the administrator to change the credential upon installation.

Effectiveness: High

Installation

Operation

The product administrator could change the defaults upon installation or during operation.

Effectiveness: Moderate

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple OT products used default credentials.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2022-30270 — Remote Terminal Unit (RTU) uses default credentials for some SSH accounts
CVE-2022-2336 — OPC Unified Architecture (OPC UA) industrial automation product has a default password
CVE-2021-38759 — microcontroller board has default password, allowing admin access
CVE-2021-44480 — children's smart watch has default passwords allowing attackers to send SMS commands and listen to the device's surroundings
CVE-2020-11624 — surveillance camera has default password for the admin account
CVE-2018-15719 — medical dental records product installs a MySQL database with a blank default password
CVE-2014-9736 — healthcare system for archiving patient images has default passwords for key management and storage databases
CVE-2000-1209 — database product installs admin account with default null password, allowing privileges, as exploited by various worms

Frequently asked questions

Common questions about CWE-1393.

What is CWE-1393?

The product uses default passwords for potentially critical functionality.

What CVEs are caused by CWE-1393?

34 recorded CVEs are attributed to CWE-1393, including CVE-2023-45249, CVE-2025-26701, CVE-2025-26793. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-1393?

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

What are the consequences of CWE-1393?

Exploiting CWE-1393 can lead to: Gain Privileges or Assume Identity.

Is CWE-1393 actively exploited?

Yes. 1 CWE-1393 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 34 recorded CVEs.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-1393

Get alerted the moment a new CWE-1393 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing