CWE-1394 (Use of Default Cryptographic Key) is a common software weakness type identified by the CWE (Common Weakness Enumeration) dictionary. It helps developers understand security flaws and how to mitigate them.

What is the difference between CVE and CWE?

CWE refers to the type of software weakness (the root cause), while CVE refers to a specific instance of a vulnerability in a particular product or system.

CWE-1394

Use of Default Cryptographic Key

Weakness Description

The product uses a default cryptographic key for potentially critical functionality.

It is common practice for products to be designed to use default keys. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.

Potential Mitigations

Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Effectiveness: High

Architecture and Design

Force the administrator to change the credential upon installation.

Effectiveness: High

InstallationOperation

The product administrator could change the defaults upon installation or during operation.

Effectiveness: Moderate

Common Consequences

Authentication

Gain Privileges or Assume Identity

Related Weaknesses

CWE-1392

Related Resources

Browse CWE Database

Explore 493 software weaknesses

CVE Database

Search 294,000+ vulnerabilities

Security Writeups

Learn from real-world examples

About 4nuxd

Cybersecurity research & tools

Contact Us

Get in touch for collaboration

Homepage

Explore more security resources