Default credentials unchanged.

Overview

Description

Generally, devices /embedded systems/tools/frameworks come with default configurations that contain default credentials.

These default credentials are only for initial setup and configuration, and almost all manufacturers suggest changing it before using it.

The most common devices having default credentials are Network Modem/ Routers/ Camera and IoT Devices.

According to this 61% targets has default passords.

An attacker can quickly get such default username/passwords from the documentation. They are also available on websites like https://cirt.net/passwords

Example

here is a one simple example

Username: admin/administrator/root/system/guest/operator/super

Password: password/pass123/password123/admin/guest

Impact

It could allow the attacker to access the administrative portal related to that device.

It could leak sensitive data/information of the organization

Prevention

Change Default Passwords before deploying the system
Manufacturers should use unique and robust default passwords instead of simple and common ones.
Force user to change the default password during initial setup

Tools

changeme : A default credential scanner.

web vulnerabilities