Home/CWE/Insufficiently Protected Credentials
Weakness

Insufficiently Protected Credentials

CWE-522 · Class · Incomplete

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-1390 · Weak Authentication
ChildOfCWE-287 · Improper Authentication
ChildOfCWE-668 · Exposure of Resource to Wrong Sphere
Children (more specific)
ParentOfCWE-256 · Plaintext Storage of a Password
ParentOfCWE-257 · Storing Passwords in a Recoverable Format
ParentOfCWE-260 · Password in Configuration File
ParentOfCWE-261 · Weak Encoding for Password
ParentOfCWE-523 · Unprotected Transport of Credentials
ParentOfCWE-549 · Missing Password Field Masking

Attack Patterns (CAPEC)

13
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-102Session Sidejacking
CAPEC-474Signature Spoofing by Key Theft
CAPEC-50Password Recovery Exploitation
CAPEC-509Kerberoasting
CAPEC-551Modify Existing Service
CAPEC-555Remote Services with Stolen Credentials
CAPEC-560Use of Known Domain Credentials
CAPEC-561Windows Admin Shares with Stolen Credentials
CAPEC-600Credential Stuffing
CAPEC-644Use of Captured Hashes (Pass The Hash)
CAPEC-645Use of Captured Tickets (Pass The Ticket)
CAPEC-652Use of Known Kerberos Credentials
CAPEC-653Use of Known Operating System Credentials

CVEs With This Weakness

1,529
A sample of the 1,529 CVEs tagged with this weakness.
CVECVE-2026-8368
CVECVE-2026-7038
CVECVE-2026-6446
CVECVE-2026-6408
CVECVE-2026-6345
CVECVE-2026-6253
CVECVE-2026-4819
CVECVE-2026-45091
CVECVE-2026-43992
CVECVE-2026-42869
CVECVE-2026-42367
CVECVE-2026-42295

Nuclei Scanner Templates

30
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalZyXel USG - Hardcoded Credentials
criticalKaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent
criticalDahua Security - Configuration File Disclosure
criticalpgAdmin 4 - Authentication Bypass
criticalH3C ER8300G2-X - Password Disclosure
criticalBigAnt - Default Password
highGeneric Env File Disclosure
highRocketChat Live Chat - Unauthenticated Read Access
highQiHang Media Web Digital Signage 3.0.9 - Cleartext Credentials Disclosure
highHoteldruid Management Panel Access
highD-Link - Local File Inclusion
highSPX PHP Profiler - Default Key
highRuijie RG-UAC Unified Internet Behavior Management Audit System - Information Disclosure
highRuijie Smartweb Management System Password Information Disclosure
highElectrolink FM/DAB/TV Transmitter - Credentials Disclosure
highKyocera Net View Address Book Exposure
highAdminer Default Login - Detect
highKanboard - Default Login
highGoIP GSM VoIP Gateway - Default Password
highTiny File Manager - Default Login
highGeoserver Admin - Default Login
highWebLogic Default Login
highNetentsec NS-ICG - Default Login
highMantisBT Default Admin Login
highIBM Security Verify Access - Default Login
highIBM Power HMC - Default Login
highIBM Storage Management Default Login
highIBM MQSeries Web Console Default Login
highHongdian Default Login
highApollo Default Login
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin