CWE-521: Weak Password Requirements
The product does not require that users should have strong passwords.
Last updated
Overview
CWE-521 (Weak Password Requirements) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
Authentication mechanisms often rely on a memorized secret (also known as a password) to provide an assertion of identity for a user of a system. It is therefore important that this password be of sufficient complexity and impractical for an adversary to guess. The specific requirements around how complex a password needs to be depends on the type of system being protected. Selecting the correct password requirements and enforcing them through implementation are critical to the overall success of the authentication mechanism.
Real-world CVEs
149 recorded CVEs are caused by CWE-521 (Weak Password Requirements), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 14 new CWE-521 CVEs have been recorded so far in 2026 (42 in 2025).
- CVE-2019-18988CISA KEVHigh · CVSS 8.4 · EPSS 91th2020-02-07
- CVE-2025-12364
Weak Password Policy
Critical · CVSS 10.0 · EPSS 23th2025-10-27 - CVE-2024-40684
IBM Operations Analytics - Log Analysis is affected by Weak Password Policy and Inadequate Account Lockout Mechanism
Critical · CVSS 9.8 · EPSS 28th2026-05-27 - CVE-2025-55269
HCL Aftermarket DPC is affected by Weak Password Policy vulnerability
Critical · CVSS 9.8 · EPSS 15th2026-03-26 - CVE-2026-25715
Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements
Critical · CVSS 9.8 · EPSS 43th2026-02-20 - CVE-2025-55252
HCL AION is affected by a Weak Password Policy vulnerability
Critical · CVSS 9.8 · EPSS 5th2026-01-19 - CVE-2025-53963Critical · CVSS 9.8 · EPSS 33th2025-12-04
- CVE-2025-63747Critical · CVSS 9.8 · EPSS 34th2025-11-17
- CVE-2025-11200
MLflow Weak Password Requirements Authentication Bypass Vulnerability
Critical · CVSS 9.8 · EPSS 71th2025-10-29 - CVE-2025-28389Critical · CVSS 9.8 · EPSS 42th2025-06-13
- CVE-2024-22330
IBM Security Verify Governance information disclosure
Critical · CVSS 9.8 · EPSS 20th2025-06-06 - CVE-2025-28200Critical · CVSS 9.8 · EPSS 41th2025-05-09
Showing 12 of 149 recorded CWE-521 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-521 vulnerabilitiesCommon consequences
What can happen when CWE-521 is exploited.
Gain Privileges or Assume Identity
Affects: Access Control
An attacker could easily guess user passwords and gain access user accounts.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-521, grouped by where in the lifecycle they apply.
A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
Depending on the threat model, the password policy may include several additional attributes.
See NIST 800-63B [REF-1053] for further information on password requirements.
Consider a second authentication factor beyond the password, which prevents the password from being a single point of failure. See CWE-308 for further information.
Consider implementing a password complexity meter to inform users when a chosen password meets the required attributes.
Previously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and its utility has been reduced in light of the adoption of related protection mechanisms (such as password complexity and computational effort), along with the recognition that regular password changes often caused users to generate more predictable passwords. As a result, this is now a Discouraged Common Practice [REF-1488] [REF-1489], especially as the sole factor in protecting passwords. It is still strongly encouraged to force password changes in case of evidence of compromise, but this is not the same as a forced "expiration" on an arbitrary time frame.
Effectiveness: Discouraged Common Practice
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2020-4574 — key server application does not require strong passwords
Terminology & mappings
Mapped taxonomies
- OWASP Top Ten 2004: Broken Authentication and Session Management (A3) — CWE More Specific fit
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-112: Brute Force
- CAPEC-16: Dictionary-based Password Attack
- CAPEC-49: Password Brute Forcing
- CAPEC-509: Kerberoasting
- CAPEC-55: Rainbow Table Password Cracking
- CAPEC-555: Remote Services with Stolen Credentials
- CAPEC-561: Windows Admin Shares with Stolen Credentials
- CAPEC-565: Password Spraying
- CAPEC-70: Try Common or Default Usernames and Passwords
Frequently asked questions
Common questions about CWE-521.
- What is CWE-521?
- The product does not require that users should have strong passwords.
- What CVEs are caused by CWE-521?
- 149 recorded CVEs are attributed to CWE-521, including CVE-2019-18988, CVE-2025-12364, CVE-2024-40684. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Is CWE-521 part of the OWASP Top 10?
- CWE-521 maps to OWASP Top Ten 2004: Broken Authentication and Session Management (A3) in the OWASP security taxonomy.
- How do you prevent CWE-521?
- A product's design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
- How is CWE-521 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-521?
- Exploiting CWE-521 can lead to: Gain Privileges or Assume Identity.
- Is CWE-521 actively exploited?
- Yes. 1 CWE-521 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 149 recorded CVEs.
References
- MITRE CWE definition (CWE-521) (opens in a new tab)
- CWE-521 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-521
Get alerted the moment a new CWE-521 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.