Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.
CWE-1391 Class Incomplete
Use of Weak Credentials
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily guessable values—that an attacker can deduce, reuse, or predict…
Definition
What is CWE-1391?
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily guessable values—that an attacker can deduce, reuse, or predict without needing to perform a full brute-force attack.
Authentication systems are designed to force attackers into time-consuming brute-force attempts when credentials are unknown. However, when credentials are weak—whether they are static, widely reused, or generated in a predictable pattern—attackers can bypass this protection entirely, gaining unauthorized access with minimal effort.
Weak credentials typically fall into three categories: hard-coded (static and unchangeable), default (common across installations but changeable), or predictable (generated using a flawed or guessable method). Even if a unique credential is intended for each deployment, a predictable generation process can still make it vulnerable to efficient guessing attacks, undermining the entire authentication mechanism.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-1391
-
Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)
-
Remote Terminal Unit (RTU) uses default credentials for some SSH accounts
-
Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords
-
Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments
-
microcontroller board has default password, allowing admin access
-
data visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables
-
UART interface for AI speaker uses empty password for root shell
-
password manager does not generate cryptographically strong passwords, allowing prediction of passwords using guessable details such as time of generation
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
Identifiziere einen Codepfad, der nicht vertrauenswürdige Eingaben ohne Validierung verarbeitet.
- 2
Erzeuge eine Payload, die das unsichere Verhalten auslöst — Injection, Traversal, Overflow oder Logik-Missbrauch.
- 3
Liefere die Payload über einen normalen Request aus und beobachte die Reaktion der Anwendung.
- 4
Iteriere, bis die Antwort Daten preisgibt, Angreifer-Code ausführt oder Berechtigungen eskaliert.
Verwundbares Codebeispiel
Vulnerable pseudo
MITRE hat kein Codebeispiel für diese CWE veröffentlicht. Das untenstehende Muster ist illustrativ — kanonische Referenzen findest du unter Ressourcen.
// Example pattern — see MITRE for the canonical references.
function handleRequest(input) {
// Untrusted input flows directly into the sensitive sink.
return executeUnsafe(input);
} Sicheres Codebeispiel
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-1391
- Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
- Implementation Validate input at trust boundaries; use allowlists, not denylists.
- Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
- Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
- Operation Monitor logs for the runtime signals listed in the next section.
Erkennungssignale
How to detect CWE-1391
Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.
Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.
Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.
Plexicus erkennt CWE-1391 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-1391?
Wie gravierend ist CWE-1391?
Welche Sprachen oder Plattformen sind von CWE-1391 betroffen?
Wie kann ich CWE-1391 verhindern?
Wie erkennt und behebt Plexicus CWE-1391?
Wo erfahre ich mehr über CWE-1391?
Frequently asked questions
Was ist CWE-1391?
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily guessable values—that an attacker can deduce, reuse, or predict without needing to perform a full brute-force attack.
Wie gravierend ist CWE-1391?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-1391 betroffen?
MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, ICS/OT, Not Technology-Specific.
Wie kann ich CWE-1391 verhindern?
Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.
Wie erkennt und behebt Plexicus CWE-1391?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-1391 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-1391?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/1391.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-1391
CWE-1390 Parent
Weak Authentication
This vulnerability occurs when a system's login or identity verification process is too easy to bypass or fool. While it attempts to check…
CWE-262 Sibling
Not Using Password Aging
This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely.
CWE-263 Sibling
Password Aging with Long Expiration
The system enforces password changes, but the time allowed between changes is excessively long, weakening security.
CWE-289 Sibling
Authentication Bypass by Alternate Name
This vulnerability occurs when a system checks access based on a resource or user name, but fails to account for all the different names…
CWE-290 Sibling
Authentication Bypass by Spoofing
This weakness occurs when an application's authentication system can be tricked into accepting forged or manipulated credentials, allowing…
CWE-294 Sibling
Authentication Bypass by Capture-replay
This vulnerability occurs when an attacker can intercept and record legitimate authentication traffic, then replay it later to gain…
CWE-301 Sibling
Reflection Attack in an Authentication Protocol
A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing…
CWE-302 Sibling
Authentication Bypass by Assumed-Immutable Data
This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can…
CWE-303 Sibling
Incorrect Implementation of Authentication Algorithm
This weakness occurs when a developer implements a standard authentication algorithm, but makes critical mistakes in the code that cause…
Ressourcen
Further reading
- MITRE — offizielle CWE-1391 https://cwe.mitre.org/data/definitions/1391.html
- Researchers Out Default Passwords Packaged With ICS/SCADA Wares https://www.darkreading.com/endpoint-security/researchers-out-default-passwords-packaged-with-ics-scada-wares
- ICS Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01
- OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management https://www.forescout.com/resources/ot-icefall-report/
- Randstorm: You Can't Patch a House of Cards https://www.unciphered.com/disclosure-of-vulnerable-bitcoin-wallet-library-2/
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.