CWE-1392 (Use of Default Credentials) is a common software weakness type identified by the CWE (Common Weakness Enumeration) dictionary. It helps developers understand security flaws and how to mitigate them.

What is the difference between CVE and CWE?

CWE refers to the type of software weakness (the root cause), while CVE refers to a specific instance of a vulnerability in a particular product or system.

CWE-1392

Use of Default Credentials

Weakness Description

The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.

It is common practice for products to be designed to use default keys, passwords, or other mechanisms for authentication. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.

Potential Mitigations

Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Effectiveness: High

Architecture and Design

Force the administrator to change the credential upon installation.

Effectiveness: High

InstallationOperation

The product administrator could change the defaults upon installation or during operation.

Effectiveness: Moderate

Common Consequences

Authentication

Gain Privileges or Assume Identity

Related Weaknesses

CWE-1391

Related Resources

Browse CWE Database

Explore 493 software weaknesses

CVE Database

Search 294,000+ vulnerabilities

Security Writeups

Learn from real-world examples

About 4nuxd

Cybersecurity research & tools

Contact Us

Get in touch for collaboration

Homepage

Explore more security resources