Class weakness
Draft
Log in
The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Last updated
If the product's administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats - including the product's developer - can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.
4 recorded CVEs are caused by CWE-671 (Lack of Administrator Control over Security). The highest-severity and most recent are shown first. 0 new CWE-671 CVEs have been recorded so far in 2026 (1 in 2025).
What can happen when CWE-671 is exploited.
Varies by Context
Affects: Other
Typically introduced during these phases of the software lifecycle.
Illustrative examples from MITRE showing how the weakness appears in code.
The following code is an example of an internal hard-coded password in the back-end:
Vulnerable example
int VerifyAdmin(char *password) {Vulnerable example
int VerifyAdmin(String password) {Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."
Real CVEs that MITRE cites as examples of this weakness.
Common questions about CWE-671.
The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
4 recorded CVEs are attributed to CWE-671, including CVE-2025-24024, CVE-2018-13283, CVE-2023-20115.
Exploiting CWE-671 can lead to: Varies by Context.
4 recorded CVEs are caused by CWE-671; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-671 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.