Oracle Default Accounts

critical Nessus Plugin ID 22075
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


One or more default accounts have been found in the remote database.


The remote Oracle database server has one or more default accounts, possibly from older versions of Oracle or third-party software that uses Oracle.

An attacker may use these accounts to gain access to the database and read or possibly even modify it.


If using a third-party product, contact the vendor for an update.

Otherwise, either disable the reported accounts or change the associated passwords.

See Also

Plugin Details

Severity: Critical

ID: 22075

File Name: oracle_default_account.nbin

Version: 1.200

Type: remote

Family: Databases

Published: 7/19/2006

Updated: 11/12/2021

Dependencies: oracle_default_sids.nbin

Risk Information

CVSS Score Source: manual

CVSS Score Rationale: Score was rationalized for default db credentials.


Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P


Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*

Required KB Items: Oracle/TestDefaultAccounts