CWE · MITRE source
CWE-1188Initialization of a Resource with an Insecure Default
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 13 mapping(s) from 9 framework(s): ATT&CK 4 (partial) · ASVS 5.0 2 (mostly) · STIG rhel 7 1 (full) · STIG windows server 2019 1 (mostly) · STIG ubuntu 22 04 1 (mostly) · STIG ubuntu 24 04 1 (mostly) · CAPEC 1 (partial) · STIG windows server 2016 1 (partial) · STIG oracle linux 8 1 (partial)
NIST 800-53 r5 controls that address this weakness (10)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CM-1 | Policy and Procedures | CM | Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines. |
CM-2 | Baseline Configuration | CM | Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults. |
CM-7 | Least Functionality | CM | Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities. |
SA-16 | Developer-provided Training | SA | Instruction on secure initialization of security controls prevents leaving resources with insecure defaults after installation. |
SA-4 | Acquisition Process | SA | Mandating secure configuration and initialization requirements in the acquisition process prevents delivery of products that initialize resources with insecure defaults. |
SA-5 | System Documentation | SA | Secure configuration and installation documentation prevents initialization of resources with insecure defaults. |
PL-11 | Baseline Tailoring | PL | Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment. |
PL-9 | Central Management | PL | Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system. |
PM-30 | Supply Chain Risk Management Strategy | PM | SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Scans detect resources initialized with insecure defaults that create exploitable conditions. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-13927 KEV | 10.0 | 9.8 | 0.9970 | 2020-11-10 |
CVE-2022-24706 KEV | 10.0 | 9.8 | 0.9234 | 2022-04-26 |
CVE-2023-27524 KEV | 10.0 | 8.9 | 0.9740 | 2023-04-24 |
CVE-2023-6448 KEV | 10.0 | 9.8 | 0.0209 | 2023-12-05 |
CVE-2025-48927 KEV UPD | 10.0 | 5.3 | 0.0786 | 2025-05-28 |
CVE-2020-11532 | 8.0 | 9.8 | 0.7748 | 2020-05-08 |
CVE-2017-5178 | 7.0 | 9.8 | 0.1363 | 2017-03-08 |
CVE-2017-3834 | 7.0 | 9.8 | 0.0446 | 2017-04-06 |
CVE-2017-7964 | 7.0 | 10.0 | 0.0250 | 2017-04-19 |
CVE-2017-8218 | 7.0 | 9.8 | 0.0200 | 2017-04-25 |
CVE-2017-8021 | 7.0 | 9.8 | 0.0206 | 2017-10-03 |
CVE-2017-12739 | 7.0 | 9.8 | 0.0565 | 2017-11-15 |
CVE-2018-0130 | 7.0 | 9.8 | 0.0193 | 2018-02-22 |
CVE-2018-5770 | 7.0 | 9.8 | 0.0278 | 2018-03-20 |
CVE-2018-3591 | 7.0 | 9.8 | 0.0125 | 2018-04-11 |
CVE-2018-10251 | 7.0 | 9.8 | 0.0449 | 2018-05-04 |
CVE-2018-8014 | 7.0 | 9.8 | 0.2198 | 2018-05-16 |
CVE-2018-10968 | 7.0 | 9.8 | 0.0178 | 2018-05-18 |
CVE-2018-15350 | 7.0 | 9.8 | 0.0469 | 2018-08-17 |
CVE-2019-3909 | 7.0 | 9.8 | 0.0226 | 2019-01-18 |
CVE-2019-5490 | 7.0 | 9.8 | 0.0349 | 2019-03-21 |
CVE-2018-19275 | 7.0 | 9.8 | 0.0461 | 2019-04-02 |
CVE-2019-11618 | 7.0 | 9.8 | 0.0228 | 2019-04-30 |
CVE-2019-1804 | 7.0 | 9.8 | 0.0348 | 2019-05-03 |
CVE-2019-5367 | 7.0 | 9.8 | 0.0804 | 2019-06-05 |