CWE-1393

Use of Default Password

The product uses default passwords for potentially critical functionality.

CVE-2026-8672 (GCVE-0-2026-8672)

Vulnerability from cvelistv5 – Published: 2026-05-22 13:17 – Updated: 2026-05-22 15:04

Title

Default credentials for internal DB

Summary

Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: before 25.3.0.

Severity

5.1 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-1393 - Use of default password

Assigner

NCSC.ch

References

1 reference

URL	Tags
https://support.avantra.com/hc/en-us/articles/553…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
syslink software AG	Avantra	Affected: 0 , < 25.3.0 (semver)

Credits

Vicxer Inc.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8672",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T15:04:21.729145Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T15:04:30.882Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux",
            "Windows"
          ],
          "product": "Avantra",
          "vendor": "syslink software AG",
          "versions": [
            {
              "lessThan": "25.3.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Vicxer Inc."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords.\u003cp\u003eThis issue affects Avantra: before 25.3.0.\u003c/p\u003e"
            }
          ],
          "value": "Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords.\n\nThis issue affects Avantra: before 25.3.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-70",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-70 Try Common or Default Usernames and Passwords"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1393",
              "description": "CWE-1393 Use of default password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T13:17:05.199Z",
        "orgId": "455daabc-a392-441d-aa46-37d35189897c",
        "shortName": "NCSC.ch"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://support.avantra.com/hc/en-us/articles/5535551609759"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Default credentials for internal DB",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
    "assignerShortName": "NCSC.ch",
    "cveId": "CVE-2026-8672",
    "datePublished": "2026-05-22T13:17:05.199Z",
    "dateReserved": "2026-05-15T11:49:59.333Z",
    "dateUpdated": "2026-05-22T15:04:30.882Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Requirements

Description:

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Mitigation

Phase: Documentation

Description:

Ensure that product documentation clearly emphasizes the presence of default passwords and provides steps for the administrator to change them.

Mitigation

Phase: Architecture and Design

Description:

Force the administrator to change the credential upon installation.

Mitigation

Phases: Installation, Operation

Description:

The product administrator could change the defaults upon installation or during operation.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page