When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

What CVEs are caused by CWE-620?

80 recorded CVEs are attributed to CWE-620, including CVE-2024-20419, CVE-2025-1107, CVE-2024-33699.

Is CWE-620 part of the OWASP Top 10?

CWE-620 maps to OWASP Top Ten 2004: Broken Authentication and Session Management (A3) in the OWASP security taxonomy.

How do you prevent CWE-620?

When prompting for a password change, force the user to provide the original password in addition to the new password.

What are the consequences of CWE-620?

Exploiting CWE-620 can lead to: Bypass Protection Mechanism, Gain Privileges or Assume Identity.

Is CWE-620 actively exploited?

80 recorded CVEs are caused by CWE-620; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-620: Unverified Password Change

CVE-2025-70082

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This code changes a user's password.

Vulnerable example

php

$user = $_GET['user'];

While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account.

CWE-620: Unverified Password Change

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-620?

What CVEs are caused by CWE-620?

Is CWE-620 part of the OWASP Top 10?

How do you prevent CWE-620?

What are the consequences of CWE-620?

Is CWE-620 actively exploited?

References

Stay ahead of CWE-620

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-620?

What CVEs are caused by CWE-620?

Is CWE-620 part of the OWASP Top 10?

How do you prevent CWE-620?

What are the consequences of CWE-620?

Is CWE-620 actively exploited?

References

Stay ahead of CWE-620