logo

Use of Default Credentials

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when a system, device, or application relies on pre-configured, publicly known credentials like passwords or encryption keys for access to critical functions.

Extended Description

Manufacturers and developers often ship products with default usernames and passwords to simplify initial setup and deployment. While convenient, this practice creates a major security risk if these defaults are not changed, as they are often documented in manuals or easily found online, providing a universal key for attackers. For developers and system administrators, the core issue is assuming defaults will be changed. Attackers exploit this by scanning for devices or software using these well-known credentials, allowing rapid, unauthorized access across many installations. To prevent this, systems must enforce credential changes on first use or require unique credentials generated during setup.
Common Consequences 1
Scope: Authentication

Impact: Gain Privileges or Assume Identity
Potential Mitigations 3
Phase: Requirements
Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Effectiveness: High

Phase: Architecture and Design
Force the administrator to change the credential upon installation.

Effectiveness: High

Phase: InstallationOperation
The product administrator could change the defaults upon installation or during operation.

Effectiveness: Moderate
Demonstrative Examples 1

ID : DX-153

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
At least one OT product used default credentials.
Observed Examples 5
CVE-2022-30270Remote Terminal Unit (RTU) uses default credentials for some SSH accounts
CVE-2021-41192data visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables
CVE-2021-38759microcontroller board has default password
CVE-2018-3825cloud cluster management product has a default master encryption key
CVE-2010-2306Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic
References 1
OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs
20-06-2022
https://www.forescout.com/resources/ot-icefall-report/
ID: REF-1283
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
ICS/OT : UndeterminedNot Technology-Specific : Undetermined
Modes of Introduction
Architecture and Design
Related Weaknesses
ChildOf: Use of Weak Credentials (CWE-1391)