The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
View on MITREIf the product's administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats - including the product's developer - can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.
No mitigation information available for this CWE.
No detection method information available for this CWE.
The following code is an example of an internal hard-coded password in the back-end:
Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."
The following code is an example of an internal hard-coded password in the back-end:
Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."
Condition Monitor firmware has a maintenance interface with hard-coded credentials
View DetailsGUI configuration tool does not enable a security option when a checkbox is selected, although that option is honored when manually set in the configuration file.
View DetailsCWE-671: Lack of Administrator Control over Security is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. If the product's administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats - including the product's developer - can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.
If exploited, CWE-671 (Lack of Administrator Control over Security) it can compromise Other, leading to outcomes such as Varies by Context.
MITRE documents real CVEs mapped to CWE-671, including CVE-2022-29953 and CVE-2000-0127. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-671 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.