Cyber Resilience

CWE · MITRE source

CWE-1188Initialization of a Resource with an Insecure Default

Abstraction: Base · CVEs in our corpus: 299

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Last updated: 04 July 2026 08:17 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 13 mapping(s) from 9 framework(s): ATT&CK 4 (partial) · ASVS 5.0 2 (mostly) · STIG rhel 7 1 (full) · STIG windows server 2019 1 (mostly) · STIG ubuntu 22 04 1 (mostly) · STIG ubuntu 24 04 1 (mostly) · CAPEC 1 (partial) · STIG windows server 2016 1 (partial) · STIG oracle linux 8 1 (partial)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (10)AI

Control Title Family Why it addresses this CWE
CM-1Policy and ProceduresCMRequires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.
CM-2Baseline ConfigurationCMReviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.
CM-7Least FunctionalityCMRequiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.
SA-16Developer-provided TrainingSAInstruction on secure initialization of security controls prevents leaving resources with insecure defaults after installation.
SA-4Acquisition ProcessSAMandating secure configuration and initialization requirements in the acquisition process prevents delivery of products that initialize resources with insecure defaults.
SA-5System DocumentationSASecure configuration and installation documentation prevents initialization of resources with insecure defaults.
PL-11Baseline TailoringPLTailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.
PL-9Central ManagementPLCentral configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system.
PM-30Supply Chain Risk Management StrategyPMSCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors.
RA-5Vulnerability Monitoring and ScanningRAScans detect resources initialized with insecure defaults that create exploitable conditions.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2020-13927 KEV10.09.80.99702020-11-10
CVE-2022-24706 KEV10.09.80.92342022-04-26
CVE-2023-27524 KEV10.08.90.97402023-04-24
CVE-2023-6448 KEV10.09.80.02092023-12-05
CVE-2025-48927 KEV UPD10.05.30.07862025-05-28
CVE-2020-115328.09.80.77482020-05-08
CVE-2017-51787.09.80.13632017-03-08
CVE-2017-38347.09.80.04462017-04-06
CVE-2017-79647.010.00.02502017-04-19
CVE-2017-82187.09.80.02002017-04-25
CVE-2017-80217.09.80.02062017-10-03
CVE-2017-127397.09.80.05652017-11-15
CVE-2018-01307.09.80.01932018-02-22
CVE-2018-57707.09.80.02782018-03-20
CVE-2018-35917.09.80.01252018-04-11
CVE-2018-102517.09.80.04492018-05-04
CVE-2018-80147.09.80.21982018-05-16
CVE-2018-109687.09.80.01782018-05-18
CVE-2018-153507.09.80.04692018-08-17
CVE-2019-39097.09.80.02262019-01-18
CVE-2019-54907.09.80.03492019-03-21
CVE-2018-192757.09.80.04612019-04-02
CVE-2019-116187.09.80.02282019-04-30
CVE-2019-18047.09.80.03482019-05-03
CVE-2019-53677.09.80.08042019-06-05