Using Default Credentials
Default Credentials
Overview of the Vulnerability
Default credentials are credentials that are set as default by the manufacturer or supplier of hardware and software products. These credentials often have Administrator privileges. An attacker can take advantage of default credentials and login to administrative accounts using wordlists of usernames and passwords found online, which may give them the authority to change the state of the application or users’ accounts.
Business Impact
Default credentials can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the application’s security of user accounts. If an attacker successfully guesses default credentials it can lead to user account compromise and data exfiltration.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Enter the username and password combination {{Username:DefaultPassword}}
Observe the successful login to an Admin account
Proof of Concept (PoC)
The screenshot(s) below demonstrates the default credentials:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. A screenshot of the account being logged in will work here, or a video showing the account being signed in to.
Describe what the impact of using default credentials on this service would be, what role does this account have, and how could it be used.Do not access or attempt to access sensitive information. Do not access Personally Identifiable Information (PII).
Recommendation(s)
All default credentials should be changed before deploying the software to the internet. If default credentials are hardcoded, the device should not be exposed to the internet and instead should be behind a firewall.
For more information, please refer to:
Last updated