CWE-1188: Insecure Default Initialization of Resource — known CVE vulnerabilities
CVEs classified under CWE-1188 (Insecure Default Initialization of Resource), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-31957 — CVSS 10.0 (critical): Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed…
CVE-2025-41672 — CVSS 10.0 (critical): A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected…
CVE-2024-0001 — CVSS 10.0 (critical): A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially…
CVE-2024-2912 — CVSS 10.0 (critical): An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially…
CVE-2021-34795 — CVSS 10.0 (critical): Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical…
CVE-2017-7964 — CVSS 10.0 (critical): Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to…
CVE-2026-44109 — CVSS 9.8 (critical): OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows…
CVE-2026-39920 — CVSS 9.8 (critical): BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible…
CVE-2026-28205 — CVSS 9.8 (critical): OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain…
CVE-2026-28775 — CVSS 9.8 (critical): An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX…
CVE-2025-70998 — CVSS 9.8 (critical): UTT HiPER 810 / nv810v4 router firmware v1.5.0-140603 was discovered to contain insecure default credentials for the telnet service…
CVE-2025-62877 — CVSS 9.8 (critical): Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or…
CVE-2025-54127 — CVSS 9.8 (critical): HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS…
CVE-2025-24288 — CVSS 9.8 (critical): The Versa Director software exposes a number of services by default and allow attackers an easy foothold due to default credentials and…
CVE-2025-41438 — CVSS 9.8 (critical): The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing…
CVE-2025-1863 — CVSS 9.8 (critical): Insecure default settings have been found in recorder products provided by Yokogawa Electric Corporation. The default setting of the…
CVE-2025-1960 — CVSS 9.8 (critical): CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an attacker to execute unauthorized…
CVE-2024-28815 — CVSS 9.8 (critical): A vulnerability in the BluStar component of Mitel InAttend 2.6 SP4 through 2.7 and CMG 8.5 SP4 through 8.6 could allow access to sensitive…
CVE-2022-41648 — CVSS 9.8 (critical): The HEIDENHAIN Controller TNC 640 NC software Version 340590 07 SP5, is vulnerable to improper authentication in its DNC communication for…
CVE-2021-3586 — CVSS 9.8 (critical): A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be…
CVE-2022-31806 — CVSS 9.8 (critical): In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no…
CVE-2021-38759 — CVSS 9.8 (critical): Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator…
CVE-2021-35965 — CVSS 9.8 (critical): The Orca HCM digital learning platform uses a weak factory default administrator password, which is hard-coded in the source code of the…
CVE-2021-35336 — CVSS 9.8 (critical): Tieline IP Audio Gateway 2.6.4.8 and below is affected by Incorrect Access Control. A vulnerability in the Tieline Web Administrative…
CVE-2021-28123 — CVSS 9.8 (critical): Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform version 6.3 prior 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through…
CVE-2020-4001 — CVSS 9.8 (critical): The SD-WAN Orchestrator 3.3.2, 3.4.x, and 4.0.x has default passwords allowing for a Pass-the-Hash Attack. SD-WAN Orchestrator ships with…
CVE-2020-27555 — CVSS 9.8 (critical): Use of default credentials for the telnet server in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to execute…
CVE-2020-26510 — CVSS 9.8 (critical): Airleader Master <= 6.21 devices have default credentials that can be used to access the exposed Tomcat Manager for deployment of a new…
CVE-2020-14011 — CVSS 9.8 (critical): Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in…
CVE-2020-11532 — CVSS 9.8 (critical): Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This…
CVE-2014-0234 — CVSS 9.8 (critical): The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which…
CVE-2019-16272 — CVSS 9.8 (critical): On DTEN D5 and D7 before 1.3.4 devices, factory settings allows for firmware reflash and Android Debug Bridge (adb) enablement.
CVE-2019-4621 — CVSS 9.8 (critical): IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the…
CVE-2019-16102 — CVSS 9.8 (critical): Silver Peak EdgeConnect SD-WAN before 8.1.7.x has an SNMP service with a public value for rocommunity and trapcommunity.
CVE-2019-14222 — CVSS 9.8 (critical): An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to…
CVE-2019-5367 — CVSS 9.8 (critical): A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-1804 — CVSS 9.8 (critical): A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software…
CVE-2019-11618 — CVSS 9.8 (critical): doorGets 7.0 has a default administrator credential vulnerability. A remote attacker can use this vulnerability to gain administrator…
CVE-2018-19275 — CVSS 9.8 (critical): The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow…
CVE-2019-5490 — CVSS 9.8 (critical): Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account…
CVE-2019-3909 — CVSS 9.8 (critical): Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor…
CVE-2018-15350 — CVSS 9.8 (critical): Router Default Credentials in Kraftway 24F2XG Router firmware version 3.5.30.1118 allow remote attackers to get privileged access to the…
CVE-2018-10968 — CVSS 9.8 (critical): On D-Link DIR-550A and DIR-604M devices through v2.10KR, a malicious user can use a default TELNET account to get unauthorized access to…
CVE-2018-8014 — CVSS 9.8 (critical): The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to…
CVE-2018-3591 — CVSS 9.8 (critical): In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9650…