CWE-258: Empty Password in Configuration File

Using an empty string as a password is insecure.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

CWE-258 (Empty Password in Configuration File) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

10 recorded CVEs are caused by CWE-258 (Empty Password in Configuration File). The highest-severity and most recent are shown first. 0 new CWE-258 CVEs have been recorded so far in 2026 (2 in 2025).

CWE-258: Empty Password in Configuration File

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-258?

What CVEs are caused by CWE-258?

How do you prevent CWE-258?

What are the consequences of CWE-258?

Is CWE-258 actively exploited?

References

Stay ahead of CWE-258

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-258?

What CVEs are caused by CWE-258?

How do you prevent CWE-258?

What are the consequences of CWE-258?

Is CWE-258 actively exploited?

References

Stay ahead of CWE-258