CWE-521: Weak Password Requirements — known CVE vulnerabilities
CVEs classified under CWE-521 (Weak Password Requirements), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-25715 — CVSS 9.8 (critical): The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the…
CVE-2025-53963 — CVSS 9.8 (critical): An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port…
CVE-2025-63747 — CVSS 9.8 (critical): QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the…
CVE-2025-28389 — CVSS 9.8 (critical): Weak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack.
CVE-2025-28200 — CVSS 9.8 (critical): Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits of the Mac address.
CVE-2025-25211 — CVSS 9.8 (critical): Weak password requirements issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a brute-force…
CVE-2024-42850 — CVSS 9.8 (critical): An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements.
CVE-2023-49238 — CVSS 9.8 (critical): In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios)…
CVE-2023-24049 — CVSS 9.8 (critical): An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges on the device via poor…
CVE-2023-29974 — CVSS 9.8 (critical): An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.
CVE-2023-37756 — CVSS 9.8 (critical): I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creation. Attackers are…
CVE-2023-31098 — CVSS 9.8 (critical): Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through…
CVE-2022-32513 — CVSS 9.8 (critical): A CWE-521: Weak Password Requirements vulnerability exists that could allow an attacker to gain control of the device when the attacker…
CVE-2022-34615 — CVSS 9.8 (critical): Mealie 1.0.0beta3 employs weak password requirements which allows attackers to potentially gain unauthorized access to the application via…
CVE-2022-35280 — CVSS 9.8 (critical): IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not require that users should have strong passwords by default, which makes…
CVE-2022-35143 — CVSS 9.8 (critical): Renato v0.17.0 employs weak password complexity requirements, allowing attackers to crack user passwords via brute-force attacks.
CVE-2022-36301 — CVSS 9.8 (critical): BF-OS version 3.x up to and including 3.83 do not enforce strong passwords which may allow a remote attacker to brute-force the device…
CVE-2022-31211 — CVSS 9.8 (critical): An issue was discovered in Infiray IRAY-A8Z3 1.0.957. There is a blank root password for TELNET by default.
CVE-2022-1668 — CVSS 9.8 (critical): Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH.
CVE-2021-43036 — CVSS 9.8 (critical): An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The password for the PostgreSQL wguest account is weak.
CVE-2021-38462 — CVSS 9.8 (critical): InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. This may allow an…
CVE-2021-35498 — CVSS 9.8 (critical): The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, and TIBCO Product and Service Catalog powered…
CVE-2021-41296 — CVSS 9.8 (critical): ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full…
CVE-2021-20418 — CVSS 9.8 (critical): IBM Security Guardium 11.2 does not require that users should have strong passwords by default, which makes it easier for attackers to…
CVE-2021-25839 — CVSS 9.8 (critical): A weak password requirement vulnerability exists in the Create New User function of MintHCM RELEASE 3.0.8, which could lead an attacker to…
CVE-2021-26797 — CVSS 9.8 (critical): An access control vulnerability in Hame SD1 Wi-Fi firmware <=V.20140224154640 allows an attacker to get system administrator through an…
CVE-2020-25153 — CVSS 9.8 (critical): The built-in web service for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower does not require users to have strong passwords.
CVE-2020-29591 — CVSS 9.8 (critical): Versions of the Official registry Docker images through 2.7.0 contain a blank password for the root user. Systems deployed using affected…
CVE-2020-26201 — CVSS 9.8 (critical): Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an…
CVE-2019-17444 — CVSS 9.8 (critical): Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This…
CVE-2020-11624 — CVSS 9.8 (critical): An issue was discovered in AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 and Night Vision HD Indoor/Outdoor Mini IP…
CVE-2019-4576 — CVSS 9.8 (critical): IBM QRadar Network Packet Capture 7.3.0 - 7.3.3 Patch 1 and 7.4.0 GA does not require that users should have strong passwords by default…
CVE-2020-11966 — CVSS 9.8 (critical): In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password…