Home/CWE/Use of Single-factor Authentication
Weakness

Use of Single-factor Authentication

CWE-308 · Base · Draft

The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-1390 · Weak Authentication
ChildOfCWE-654 · Reliance on a Single Factor in a Security Decision
Related
PeerOfCWE-309 · Use of Password System for Primary Authentication

Attack Patterns (CAPEC)

14
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-16Dictionary-based Password Attack
CAPEC-49Password Brute Forcing
CAPEC-509Kerberoasting
CAPEC-55Rainbow Table Password Cracking
CAPEC-555Remote Services with Stolen Credentials
CAPEC-560Use of Known Domain Credentials
CAPEC-561Windows Admin Shares with Stolen Credentials
CAPEC-565Password Spraying
CAPEC-600Credential Stuffing
CAPEC-644Use of Captured Hashes (Pass The Hash)
CAPEC-645Use of Captured Tickets (Pass The Ticket)
CAPEC-652Use of Known Kerberos Credentials
CAPEC-653Use of Known Operating System Credentials
CAPEC-70Try Common or Default Usernames and Passwords

CVEs With This Weakness

9
CVEs tagged with this weakness.
CVECVE-2026-33550
CVECVE-2025-64103
CVECVE-2025-42959
CVECVE-2024-50618
CVECVE-2024-47652
CVECVE-2023-50934
CVECVE-2023-49075
CVECVE-2023-34228
CVECVE-2023-25681
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin