CVEbaza.plCWE DictionaryCWE-521
Common Weakness Enumeration

CWE-521

Weak Password Requirements

Category: BaseCVE: 308
Description

The product does not require that users should have strong passwords.

CVE vulnerabilities with CWE-521 (308)
10.0
CVSS
CRITICAL
CVE-2025-12364

Weak Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

pub. 2025-10-27
10.0
CVSS
CRITICAL
CVE-2025-12285

Missing Initial Password Change.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

pub. 2025-10-26
9.8
CVSS
CRITICAL
CVE-2026-25715

The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all critical management channels, allowing any network-adjacent attacker to gain full administrative control without credentials.

pub. 2026-02-20
9.8
CVSS
CRITICAL
CVE-2025-53963

An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

pub. 2025-12-04
9.8
CVSS
CRITICAL
CVE-2025-63747

QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access.

pub. 2025-11-17
9.8
CVSS
CRITICAL
CVE-2025-11200

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

pub. 2025-10-29
9.8
CVSS
CRITICAL
CVE-2025-30127

An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to command port 7777, and then downloading video via port 7778 and audio via port 7779.

pub. 2025-08-06
9.8
CVSS
CRITICAL
CVE-2025-28389

Weak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack.

pub. 2025-06-13
9.8
CVSS
CRITICAL
CVE-2025-28200

Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits of the Mac address.

pub. 2025-05-09
9.8
CVSS
CRITICAL
CVE-2025-25211

Weak password requirements issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a brute-force attack may allow an attacker unauthorized access and login.

pub. 2025-03-31
9.8
CVSS
CRITICAL
CVE-2025-27663

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Weak Password Encryption / Encoding OVE-20230524-0007.

pub. 2025-03-05
9.8
CVSS
CRITICAL
CVE-2024-42850

An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements.

pub. 2024-08-16
9.8
CVSS
CRITICAL
CVE-2024-3263

YMS VIS Pro is an information system for veterinary and food administration, veterinarians and farm. Due to a combination of improper method for system credentials generation and weak password policy, passwords can be easily guessed and enumerated through brute force attacks. Successful attacks can lead to unauthorised access and execution of operations based on assigned user permissions. This vulnerability affects VIS Pro in versions <= 3.3.0.6. This vulnerability has been mitigated by changes in authentication mechanisms and implementation of additional authentication layer and strong password policies.

pub. 2024-05-14
9.8
CVSS
CRITICAL
CVE-2023-49238

In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in before the legitimate administrator logs in.

pub. 2024-01-09
9.8
CVSS
CRITICAL
CVE-2023-24049

An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges on the device via poor credential management.

pub. 2023-12-04
9.8
CVSS
CRITICAL
CVE-2023-29974

An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.

pub. 2023-11-08
9.8
CVSS
CRITICAL
CVE-2023-37756

I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creation. Attackers are able to easily guess users' passwords via a bruteforce attack.

pub. 2023-09-14
9.8
CVSS
CRITICAL
CVE-2023-31098

Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0.  When users change their password to a simple password (with any character or symbol), attackers can easily guess the user's password and access the account. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it.

pub. 2023-05-22
9.8
CVSS
CRITICAL
CVE-2023-2106

Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.

pub. 2023-04-15
9.8
CVSS
CRITICAL
CVE-2022-32513

A CWE-521: Weak Password Requirements vulnerability exists that could allow an attacker to gain control of the device when the attacker brute forces the password. Affected Products: C-Bus Network Automation Controller - LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller - LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller - 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller - 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller - 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller - 5500AC2 (Versions prior to V1.10.0)

pub. 2023-01-30
Showing 20 of 308 vulnerabilities
Information
ID: CWE-521
Type: Base
Vulnerabilities: 308
MITRE CWE ↗
← CWE Dictionary