Log inLog in

Base weakness

Incomplete

CWE-1394: Use of Default Cryptographic Key

The product uses a default cryptographic key for potentially critical functionality.

Last updated May 1, 2026

16

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

It is common practice for products to be designed to use default keys. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.

Real-world CVEs

16 recorded CVEs are caused by CWE-1394 (Use of Default Cryptographic Key). The highest-severity and most recent are shown first. 4 new CWE-1394 CVEs have been recorded so far in 2026 (6 in 2025).

Critical · CVSS 9.1

2025-12-02

rachelos WeRSS we-mp-rss JWT auth.py default key

Medium · CVSS 6.3

2026-02-09

CVE-2026-5039

Predictable Default Cryptographic Key Used for DES Encryption in TP-Link TL-WL841N

Medium · CVSS 6.1

2026-04-23

CVE-2025-1688

System configuration password reset

Medium · CVSS 5.5

2025-04-15

Showing 12 of 16 recorded CWE-1394 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-1394 vulnerabilities

Common consequences

What can happen when CWE-1394 is exploited.

Gain Privileges or Assume Identity

Affects: Authentication

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

How to prevent it

Practical mitigations for CWE-1394, grouped by where in the lifecycle they apply.

Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Effectiveness: High

Architecture and Design

Force the administrator to change the credential upon installation.

Effectiveness: High

Installation

Operation

The product administrator could change the defaults upon installation or during operation.

Effectiveness: Moderate

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2018-3825 — cloud cluster management product has a default master encryption key
CVE-2016-1561 — backup storage product has a default SSH public key in the authorized_keys file, allowing root access
CVE-2010-2306 — Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic

Frequently asked questions

Common questions about CWE-1394.

What is CWE-1394?

The product uses a default cryptographic key for potentially critical functionality.

What CVEs are caused by CWE-1394?

16 recorded CVEs are attributed to CWE-1394, including CVE-2025-41742, CVE-2024-48956, CVE-2025-41744.

How do you prevent CWE-1394?

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

What are the consequences of CWE-1394?

Exploiting CWE-1394 can lead to: Gain Privileges or Assume Identity.

Is CWE-1394 actively exploited?

16 recorded CVEs are caused by CWE-1394; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-1394

Get alerted the moment a new CWE-1394 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Related weaknesses

Parent

Frequently asked questions

What is CWE-1394?

What CVEs are caused by CWE-1394?

How do you prevent CWE-1394?

What are the consequences of CWE-1394?

Is CWE-1394 actively exploited?

References

Stay ahead of CWE-1394