Skip to main content

CWE-1393

Use of Default Password

22 CVEs Avg CVSS 7.4 MITRE
10
CRITICAL
3
HIGH
6
MEDIUM
3
LOW
4
POC
0
KEV

Monthly

CVE-2026-35075 CRITICAL Act Now

Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families) allows remote unauthenticated attackers to extract a hard-coded default password embedded in the firmware image and use it to obtain full administrative control of any affected device. With a CVSS 4.0 score of 9.3 and the vulnerability reported through CERT@VDE under advisory VDE-2026-039, the issue is severe because the recovered credential is shared across the device line, but at the time of analysis there is no public exploit identified and the vulnerability is not listed in CISA KEV.

Information Disclosure Single A Double A Profibus Double A X Link Single X +14
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-8672 MEDIUM PATCH This Month

Default credential exposure in syslink software AG Avantra (all versions before 25.3.0) on Linux and Windows allows a local attacker with high-privilege access to authenticate using known default passwords, achieving high confidentiality impact against monitoring data and infrastructure configurations managed by the platform. Reported by NCSC.ch and addressed in version 25.3.0, this CWE-1393 flaw represents an insider threat or post-compromise lateral movement risk for organizations running Avantra in SAP and IT operations environments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Information Disclosure Microsoft
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-33784 CRITICAL PATCH Act Now

Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.

Authentication Bypass Juniper
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-14917 MEDIUM PATCH This Month

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a vulnerability in security settings administration that could allow authenticated attackers with high privileges to bypass expected security controls and gain unauthorized access to sensitive information. The vulnerability affects a critical administrative interface and, while it requires local access and high privileges to exploit, could enable lateral privilege escalation or information disclosure within enterprise environments. No evidence of active exploitation or public proof-of-concept has been reported, but a vendor patch is available.

Information Disclosure IBM
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-4404 Go CRITICAL PATCH Act Now

GoHarbor Harbor versions 2.15.0 and earlier contain hardcoded default credentials that allow unauthenticated attackers to gain administrative access to the web UI using the default username 'admin' and password 'Harbor12345'. This vulnerability enables complete compromise of the container registry, including image manipulation, deletion, and unauthorized access to stored artifacts. The issue has been documented in GitHub issues and pull requests within the Harbor project, indicating active awareness and remediation efforts by the development team.

Information Disclosure Suse
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-3186 LOW POC PATCH Monitor

Improper authorization in Sz Boot Parent up to version 1.3.2-beta allows authenticated attackers to reset arbitrary user passwords by manipulating the userId parameter in the password reset API endpoint. Public exploit code exists for this vulnerability, enabling remote password reset attacks against any user account. Upgrade to version 1.3.3-beta or later to remediate.

Information Disclosure Sz Boot Parent
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2635 PyPI HIGH PATCH This Week

Authentication bypass leading to administrator-level remote code execution affects MLflow installations that use the built-in basic authentication, which ships a basic_auth.ini file containing hard-coded default credentials. Remote unauthenticated attackers who know these well-known defaults can log in as the administrator and execute arbitrary code in that context. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the EPSS score of 1.39% (80th percentile) reflects above-average exploitation interest for a Trend Micro ZDI-disclosed flaw with an available vendor patch.

Authentication Bypass RCE
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
1.4%
CVE-2026-24429 CRITICAL Act Now

Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administrative access.

Information Disclosure W30e Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-66050 CRITICAL Act Now

Vivotek IP7137 camera ships without any admin password by default, and users are not informed they should set one. End-of-life product with no expected fix – all deployed cameras are likely exposed.

Denial Of Service Ip7137 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8077 Go CRITICAL PATCH GHSA This Week

A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families) allows remote unauthenticated attackers to extract a hard-coded default password embedded in the firmware image and use it to obtain full administrative control of any affected device. With a CVSS 4.0 score of 9.3 and the vulnerability reported through CERT@VDE under advisory VDE-2026-039, the issue is severe because the recovered credential is shared across the device line, but at the time of analysis there is no public exploit identified and the vulnerability is not listed in CISA KEV.

Information Disclosure Single A Double A Profibus +16
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Default credential exposure in syslink software AG Avantra (all versions before 25.3.0) on Linux and Windows allows a local attacker with high-privilege access to authenticate using known default passwords, achieving high confidentiality impact against monitoring data and infrastructure configurations managed by the platform. Reported by NCSC.ch and addressed in version 25.3.0, this CWE-1393 flaw represents an insider threat or post-compromise lateral movement risk for organizations running Avantra in SAP and IT operations environments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Information Disclosure Microsoft
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.

Authentication Bypass Juniper
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a vulnerability in security settings administration that could allow authenticated attackers with high privileges to bypass expected security controls and gain unauthorized access to sensitive information. The vulnerability affects a critical administrative interface and, while it requires local access and high privileges to exploit, could enable lateral privilege escalation or information disclosure within enterprise environments. No evidence of active exploitation or public proof-of-concept has been reported, but a vendor patch is available.

Information Disclosure IBM
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

GoHarbor Harbor versions 2.15.0 and earlier contain hardcoded default credentials that allow unauthenticated attackers to gain administrative access to the web UI using the default username 'admin' and password 'Harbor12345'. This vulnerability enables complete compromise of the container registry, including image manipulation, deletion, and unauthorized access to stored artifacts. The issue has been documented in GitHub issues and pull requests within the Harbor project, indicating active awareness and remediation efforts by the development team.

Information Disclosure Suse
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Improper authorization in Sz Boot Parent up to version 1.3.2-beta allows authenticated attackers to reset arbitrary user passwords by manipulating the userId parameter in the password reset API endpoint. Public exploit code exists for this vulnerability, enabling remote password reset attacks against any user account. Upgrade to version 1.3.3-beta or later to remediate.

Information Disclosure Sz Boot Parent
NVD GitHub VulDB
EPSS 1% CVSS 7.3
HIGH PATCH This Week

Authentication bypass leading to administrator-level remote code execution affects MLflow installations that use the built-in basic authentication, which ships a basic_auth.ini file containing hard-coded default credentials. Remote unauthenticated attackers who know these well-known defaults can log in as the administrator and execute arbitrary code in that context. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the EPSS score of 1.39% (80th percentile) reflects above-average exploitation interest for a Trend Micro ZDI-disclosed flaw with an available vendor patch.

Authentication Bypass RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administrative access.

Information Disclosure W30e Firmware
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Vivotek IP7137 camera ships without any admin password by default, and users are not informed they should set one. End-of-life product with no expected fix – all deployed cameras are likely exposed.

Denial Of Service Ip7137 Firmware
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH This Week

A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Suse
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy