Weakness reference
CWE-1188

Insecure Default Initialization of Resource

This weakness occurs when software ships with default settings that are unsafe—such as default credentials, overly permissive access controls, or disabled…

01Summary

This weakness occurs when software ships with default settings that are unsafe—such as default credentials, overly permissive access controls, or disabled security features—and those defaults are not forced to change during initial setup. An attacker or unauthorized user can exploit these defaults to gain access or escalate privileges without needing to discover a vulnerability.

02How It Happens

Developers often prioritize ease of installation and initial usability over security, leaving default configurations in place to reduce friction during deployment. Common patterns include hardcoded default usernames and passwords, administrative interfaces accessible without authentication, encryption disabled by default, or file permissions set to world-readable. When administrators fail to change these defaults—either because they are unaware they exist, the change process is unclear, or the defaults are not prominently flagged—the system remains exposed. This is especially dangerous in automated deployments or containerized environments where defaults may persist across multiple instances.

03Real-World Impact

An attacker can use publicly known default credentials or access patterns to log in directly, bypass authentication entirely, or access sensitive configuration files. This can lead to immediate account takeover, data exposure, or complete system compromise without triggering any intrusion detection. In multi-tenant or cloud environments, insecure defaults in one instance can cascade to affect many deployments. The barrier to exploitation is extremely low—no sophisticated attack technique is required, only knowledge of the default state.

04Vulnerable & Fixed Patterns

Vulnerable pattern
# Insecure defaults in application initialization
class DatabaseConnection:
    def __init__(self, host=None):
        self.host = host or "localhost"
        self.username = "admin"  # hardcoded default
        self.password = "admin"  # hardcoded default
        self.port = 5432
        self.ssl_enabled = False  # encryption disabled by default
        self.connect()

    def connect(self):
        # Connects with insecure defaults if not overridden
        pass

app = DatabaseConnection()  # Uses all defaults; no prompt to change

Why it's vulnerable:
The application initializes with hardcoded credentials and disabled encryption. An attacker who knows these defaults can connect immediately. There is no mechanism to force or prompt the administrator to change them on first run.

Fixed pattern
import os
from getpass import getpass

class DatabaseConnection:
    def __init__(self, host=None, username=None, password=None, ssl_enabled=None):
        if username is None or password is None:
            raise ValueError(
                "Username and password must be explicitly provided. "
                "Do not rely on defaults."
            )
        self.host = host or "localhost"
        self.username = username
        self.password = password
        self.ssl_enabled = ssl_enabled if ssl_enabled is not None else True
        self.connect()

    def connect(self):
        pass

# Require explicit configuration; fail loudly if defaults are used
if __name__ == "__main__":
    username = os.getenv("DB_USER")
    password = os.getenv("DB_PASSWORD")
    if not username or not password:
        raise RuntimeError(
            "DB_USER and DB_PASSWORD environment variables must be set. "
            "Do not use default credentials."
        )
    app = DatabaseConnection(username=username, password=password, ssl_enabled=True)
Vulnerable pattern
<?php
// Insecure defaults in configuration
class AdminPanel {
    private $admin_user = "admin";      // hardcoded default
    private $admin_pass = "password";   // hardcoded default
    private $auth_enabled = false;      // authentication disabled by default
    
    public function login($user, $pass) {
        if (!$this->auth_enabled) {
            return true;  // No authentication required
        }
        return ($user === $this->admin_user && $pass === $this->admin_pass);
    }
}

$panel = new AdminPanel();
if ($panel->login($_POST['user'] ?? '', $_POST['pass'] ?? '')) {
    echo "Access granted";
}
?>

Why it's vulnerable:
Authentication is disabled by default, and hardcoded credentials exist. An attacker can access the admin panel without any credentials, or use the known defaults if authentication is later enabled but not changed.

Fixed pattern
<?php
// Secure defaults with forced configuration
class AdminPanel {
    private $admin_user;
    private $admin_pass;
    private $auth_enabled = true;  // authentication enabled by default
    
    public function __construct($admin_user = null, $admin_pass = null) {
        if (empty($admin_user) || empty($admin_pass)) {
            throw new Exception(
                "Admin credentials must be explicitly configured. "
                "Do not use default or empty values."
            );
        }
        $this->admin_user = $admin_user;
        $this->admin_pass = password_hash($admin_pass, PASSWORD_BCRYPT);
    }
    
    public function login($user, $pass) {
        if (!$this->auth_enabled) {
            throw new Exception("Authentication is required and cannot be disabled.");
        }
        return ($user === $this->admin_user && 
                password_verify($pass, $this->admin_pass));
    }
}

// Require explicit configuration from environment or config file
$admin_user = getenv('ADMIN_USER');
$admin_pass = getenv('ADMIN_PASSWORD');
if (!$admin_user || !$admin_pass) {
    die("ADMIN_USER and ADMIN_PASSWORD environment variables must be set.");
}
$panel = new AdminPanel($admin_user, $admin_pass);
?>

05Prevention Checklist

Eliminate hardcoded credentials.
Never ship with default usernames, passwords, API keys, or tokens. Require them to be supplied at deployment time via environment variables, secure configuration files, or a setup wizard.
Fail securely on missing configuration.
If critical security settings are not explicitly configured, the application should refuse to start or operate, rather than falling back to insecure defaults.
Enable security features by default.
Encryption, authentication, logging, and access controls should be on by default; administrators should have to explicitly disable them if needed, not enable them.
Document all defaults prominently.
Provide a security checklist or setup guide that explicitly lists every default setting and instructs administrators which ones must be changed before production use.
Implement a first-run setup wizard.
Force administrators to set critical credentials and security parameters on initial deployment, with clear warnings about the consequences of weak choices.
Audit and rotate defaults regularly.
Periodically review your application's default configuration and test that it cannot be exploited with publicly known defaults.

06Signs You May Already Be Affected

Check your application logs and access records for successful logins using common default usernames (e.g., "admin," "root," "test") or from unexpected IP addresses. Review your configuration files and environment variables to confirm that no hardcoded credentials or overly permissive settings are present. If you cannot immediately recall changing critical security settings from their shipped state, or if your setup documentation does not explicitly require credential changes, your deployment may be using insecure defaults.

07Related Recent Vulnerabilities