TID-311: Default Credentials

Threat Description

Devices often include default credentials from the vendor. Default credentials can be changed, but are often overlooked when devices are commissioned. If left unchanged, a threat actor may discover and use these credentials to gain unauthorized access to the device. Non-unique or predictable default credentials can lead to device compromise.

Threat Maturity and Evidence

Observed Adversarial Technique
IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
“Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices.”

CWE

CWE-1392: Use of Default Credentials (Base)
“The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.”

CWE-1393: Use of Default Password (Base)
“The product uses default passwords for potentially critical functionality.”

CVE

ICEFALL - CVE-2022-29962
“The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. FTP has hardcoded credentials (but may often be disabled in production).”

CVE-2021-22681, CISA Alert
A hardcoded key in the Studio 5000 Logix Designer software and related PLCs would allow actors who can extract the key from the software to authenticate to controllers without going through the software or normal authentication process.