CWE · MITRE source
CWE-259Use of Hard-coded Password
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
There are two main variations of a hard-coded password:
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 6 mapping(s) from 2 framework(s): ATT&CK 5 (mostly) · OWASP-Web 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-5 | Authenticator Management | IA | Changing default authenticators prior to first use directly prevents use of hard-coded passwords. |
PM-16 | Threat Awareness Program | PM | Shared threat data frequently highlights products or deployments still using hard-coded passwords, enabling remediation that directly blocks credential-based attacks. |
SA-21 | Developer Screening | SA | Background checks and authorization requirements decrease the probability that a developer will hard-code passwords for later unauthorized access. |
SR-6 | Supplier Assessments and Reviews | SR | Reviews of supplier deliverables reduce the chance that hard-coded passwords are introduced into the system. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2023-5222 | 8.0 | 6.3 | 0.7470 | 2023-09-27 |
CVE-2016-9358 | 7.0 | 9.8 | 0.0213 | 2017-06-30 |
CVE-2017-6022 | 7.0 | 9.8 | 0.0175 | 2017-06-30 |
CVE-2015-3953 | 7.0 | 9.8 | 0.0197 | 2019-03-25 |
CVE-2014-5434 | 7.0 | 9.8 | 0.0156 | 2019-03-26 |
CVE-2020-12016 | 7.0 | 9.8 | 0.0186 | 2020-06-29 |
CVE-2020-12045 | 7.0 | 9.8 | 0.0166 | 2020-06-29 |
CVE-2020-12047 | 7.0 | 9.8 | 0.0166 | 2020-06-29 |
CVE-2021-27440 | 7.0 | 9.8 | 0.0135 | 2021-03-25 |
CVE-2019-10881 | 7.0 | 9.8 | 0.0099 | 2021-04-13 |
CVE-2021-32525 | 7.0 | 9.1 | 0.0172 | 2021-07-07 |
CVE-2021-22729 | 7.0 | 9.8 | 0.0175 | 2021-07-21 |
CVE-2021-28813 | 7.0 | 9.6 | 0.0106 | 2021-09-10 |
CVE-2021-38456 | 7.0 | 9.8 | 0.0111 | 2021-10-12 |
CVE-2021-36312 | 7.0 | 9.1 | 0.0104 | 2021-11-23 |
CVE-2021-34601 | 7.0 | 9.8 | 0.0101 | 2022-04-27 |
CVE-2017-20039 | 7.0 | 9.8 | 0.0116 | 2022-06-11 |
CVE-2022-30271 | 7.0 | 9.8 | 0.0087 | 2022-07-26 |
CVE-2022-22144 | 7.0 | 9.8 | 0.0081 | 2022-08-05 |
CVE-2022-41653 | 7.0 | 9.8 | 0.0070 | 2022-12-13 |
CVE-2022-45444 | 7.0 | 10.0 | 0.0094 | 2023-01-18 |
CVE-2023-2645 | 7.0 | 9.8 | 0.0315 | 2023-05-11 |
CVE-2023-23770 | 7.0 | 9.4 | 0.0045 | 2023-08-29 |
CVE-2024-28010 UPD | 7.0 | 9.8 | 0.0058 | 2024-03-28 |
CVE-2024-27488 UPD | 7.0 | 9.8 | 0.0063 | 2024-04-08 |