Common Weakness Enumeration

CWE-1188

Allowed

Initialization of a Resource with an Insecure Default

Abstraction: Base · Status: Incomplete

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

402 vulnerabilities reference this CWE, most recent first.

GHSA-R5M2-FQCF-QRF7

Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-04 19:34
VLAI
Summary
FUXA contains an insecure default configuration vulnerability
Details

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fuxa-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-04T19:34:40Z",
    "nvd_published_at": "2026-02-03T18:16:17Z",
    "severity": "HIGH"
  },
  "details": "FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The \u0027secureEnabled\u0027 flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.",
  "id": "GHSA-r5m2-fqcf-qrf7",
  "modified": "2026-02-04T19:34:41Z",
  "published": "2026-02-03T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69970"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frangoteam/FUXA/blob"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FUXA contains an insecure default configuration vulnerability"
}

GHSA-R627-CR47-HVXP

Vulnerability from github – Published: 2022-05-13 01:51 – Updated: 2022-05-13 01:51
VLAI
Details

Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. The passwords to the three accounts are the same as the usernames, which are guest, user, and author. Logging in with these accounts will grant any user the default privilege roles that were also created for each of the accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-23T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. The passwords to the three accounts are the same as the usernames, which are guest, user, and author. Logging in with these accounts will grant any user the default privilege roles that were also created for each of the accounts.",
  "id": "GHSA-r627-cr47-hvxp",
  "modified": "2022-05-13T01:51:02Z",
  "published": "2022-05-13T01:51:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20402"
    },
    {
      "type": "WEB",
      "url": "http://docs.safe.com/fme/html/FME_Server_Documentation/Content/AdminGuide/Default_User_Accounts_and_Passwords.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6C5-M6XC-3746

Vulnerability from github – Published: 2023-01-09 12:30 – Updated: 2025-02-13 18:31
VLAI
Details

A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-09T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn\u0027t need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a",
  "id": "GHSA-r6c5-m6xc-3746",
  "modified": "2025-02-13T18:31:21Z",
  "published": "2023-01-09T12:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2196"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"
    },
    {
      "type": "WEB",
      "url": "https://kernel.dance/#2e7eab81425a"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230223-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9RC-4FCG-85C7

Vulnerability from github – Published: 2025-12-16 03:31 – Updated: 2025-12-16 03:31
VLAI
Details

Incorrect configuration of replication security in the MariaDB component of the infra-operator in YAOOK Operator allows an on-path attacker to read database contents, potentially including credentials

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T01:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect configuration of replication security in the MariaDB component of the infra-operator in YAOOK Operator allows an on-path attacker to read database contents, potentially including credentials",
  "id": "GHSA-r9rc-4fcg-85c7",
  "modified": "2025-12-16T03:31:16Z",
  "published": "2025-12-16T03:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14758"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/yaook/operator/-/issues/631"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RP4Q-4MM5-P2VX

Vulnerability from github – Published: 2026-05-12 15:31 – Updated: 2026-06-24 15:31
VLAI
Details

CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T15:16:16Z",
    "severity": "HIGH"
  },
  "details": "CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials.",
  "id": "GHSA-rp4q-4mm5-p2vx",
  "modified": "2026-06-24T15:31:40Z",
  "published": "2026-05-12T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6866"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-132-04.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RPGJ-F22Q-PHGR

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

EMC Elastic Cloud Storage (ECS) before 3.1 is affected by an undocumented account vulnerability that could potentially be leveraged by malicious users to compromise the affected system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-03T01:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "EMC Elastic Cloud Storage (ECS) before 3.1 is affected by an undocumented account vulnerability that could potentially be leveraged by malicious users to compromise the affected system.",
  "id": "GHSA-rpgj-f22q-phgr",
  "modified": "2022-05-13T01:23:14Z",
  "published": "2022-05-13T01:23:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8021"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Sep/74"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RR38-X2XX-VWR5

Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34
VLAI
Details

Insecure default variable initialization in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a loss of integrity via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T17:15:38Z",
    "severity": "LOW"
  },
  "details": "Insecure default variable initialization in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a loss of integrity via local access.",
  "id": "GHSA-rr38-x2xx-vwr5",
  "modified": "2025-04-08T18:34:43Z",
  "published": "2025-04-08T18:34:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27443"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV45-R523-M576

Vulnerability from github – Published: 2026-04-24 12:30 – Updated: 2026-04-28 15:30
VLAI
Details

P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T12:17:07Z",
    "severity": "HIGH"
  },
  "details": "P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in \u0027remote\u0027 user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces secure-by-default configurations on upgrade and new installations",
  "id": "GHSA-rv45-r523-m576",
  "modified": "2026-04-28T15:30:47Z",
  "published": "2026-04-24T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6043"
    },
    {
      "type": "WEB",
      "url": "https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/secure-by-default-overview.html"
    },
    {
      "type": "WEB",
      "url": "https://help.perforce.com/helix-core/server-apps/p4sag/current/Content/P4SAG/security-configurables.html"
    },
    {
      "type": "WEB",
      "url": "https://portal.perforce.com/s/cve/a91Qi000002wRUvIAM/insecure-default-configuration-in-p4-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RVXP-RC2J-V2H6

Vulnerability from github – Published: 2026-03-04 09:31 – Updated: 2026-03-09 18:31
VLAI
Details

An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver. The deployment insecurely provisions the private SNMP community string with read/write access by default. Because the SNMP agent runs as root, an unauthenticated remote attacker can utilize NET-SNMP-EXTEND-MIB directives, abusing the fact that the system runs a vulnerable version of net-snmp pre 5.8, to execute arbitrary operating system commands with root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-04T08:16:13Z",
    "severity": "CRITICAL"
  },
  "details": "An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver. The deployment insecurely provisions the `private` SNMP community string with read/write access by default. Because the SNMP agent runs as root, an unauthenticated remote attacker can utilize `NET-SNMP-EXTEND-MIB` directives, abusing the fact that the system runs a vulnerable version of net-snmp pre 5.8, to execute arbitrary operating system commands with root privileges.",
  "id": "GHSA-rvxp-rc2j-v2h6",
  "modified": "2026-03-09T18:31:37Z",
  "published": "2026-03-04T09:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28775"
    },
    {
      "type": "WEB",
      "url": "https://www.abdulmhsblog.com/posts/sfx2100-vulns"
    },
    {
      "type": "WEB",
      "url": "https://www.abdulmhsblog.com/posts/spfx-vulnrabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RWR4-QW9C-FJXM

Vulnerability from github – Published: 2025-06-19 00:31 – Updated: 2025-06-19 00:31
VLAI
Details

The Versa Director software exposes a number of services by default and allow attackers an easy foothold due to default credentials and multiple accounts (most with sudo access) that utilize the same default credentials. By default, Versa director exposes ssh and postgres to the internet, alongside a host of other services.

Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers.

Workarounds or Mitigation:

Versa recommends the following security controls:

1) Change default passwords to complex passwords 2) Passwords must be complex with at least 8 characters that comprise of upper case, and lower case alphabets, as well as at at least one digit, and one special character 3) Passwords must be changed at least every 90 days 4) Password change history is checked to ensure that the at least the last 5 passwords must be used when changing password. 5) Review and audit logs for all authentication attempts to check for unauthorized/suspicious login attempts and enforce remediation steps.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-19T00:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "The Versa Director software exposes a number of services by default and allow attackers an easy foothold due to default credentials and multiple accounts (most with sudo access) that utilize the same default credentials. By default, Versa director exposes ssh and postgres to the internet, alongside a host of other services.\n\nVersa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers.  \n\nWorkarounds or Mitigation: \n\nVersa recommends the following  security controls:\n\n1) Change default passwords to complex passwords\n2) Passwords must be complex with at least 8 characters that comprise of upper case, and lower case alphabets,  as well as at at least one digit, and one special character\n3) Passwords must be changed at least every 90 days\n4) Password change history is checked to ensure that the at least the last 5 passwords must be used when changing password.\n5) Review and audit logs for all authentication attempts to check for unauthorized/suspicious login attempts and enforce remediation steps.",
  "id": "GHSA-rwr4-qw9c-fjxm",
  "modified": "2025-06-19T00:31:07Z",
  "published": "2025-06-19T00:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24288"
    },
    {
      "type": "WEB",
      "url": "https://security-portal.versa-networks.com/emailbulletins/68526d12dc94d6b9f2faf719"
    },
    {
      "type": "WEB",
      "url": "https://support.versa-networks.com/support/solutions/articles/23000026708-release-22-1-4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.