AN1340: Analytic 1340
Authentication failure logs on routers/switches showing repeated use of default or common passwords across multiple accounts
Analyst context for executives and security teams
This analytic is about spotting repeated failed logins on routers and switches where default or common passwords are tried across multiple accounts. For leaders, the practical issue is not just failed authentication noise: network devices often sit in critical paths for business connectivity, segmentation, remote access, and operational resilience. If default-password attempts are not visible, the organization may miss early signs that weak device administration practices or exposed management interfaces are creating avoidable risk.
Executive priority
Prioritize this as a network infrastructure control and evidence question: do security teams receive and review authentication failure logs from routers and switches, and can they distinguish routine administrator mistakes from repeated default/common password attempts across accounts? This supports resilience, audit readiness, and incident triage by validating whether critical network devices have usable logging and whether default credential exposure can be investigated quickly.
Technical view
For SOC, detection engineering, and IR teams, validate that router and switch authentication failure events are centrally collected, normalized, and searchable by device, account, source, timestamp, and failure reason where available. The analytic focus is repeated use of default or common passwords across multiple accounts on network devices. Since no official detection logic is provided, teams should build environment-specific thresholds and correlation that identify repeated failures spanning accounts and devices while accounting for legitimate administrative errors, monitoring systems, and password rotation activity.
Likely telemetry
- Router and switch authentication failure logs
- Network device administrative login records
- Account names used in failed network device logins
- Source addresses or management stations associated with failed attempts
- Timestamps and counts of repeated failures
Detection direction
- Confirm network devices forward authentication failure logs to the SOC or logging platform; absence of logs is a major blind spot for this analytic.
- Correlate repeated failures across multiple accounts on routers and switches rather than reviewing isolated failed logins only.
- Tune thresholds to reduce false positives from administrators mistyping passwords, automation using stale credentials, or planned credential changes.
- Review whether detections can identify attempts involving known default or common passwords only if password-attempt detail is actually logged and permitted to be collected; many environments may not log attempted password values.
- Prioritize monitoring of device management interfaces and accounts used for network administration.
Mitigation priorities
- Ensure default credentials are removed or changed on routers and switches as part of device hardening and onboarding.
- Restrict administrative access to network devices to approved management paths and authorized users.
- Require strong authentication and account governance for network device administration where supported.
- Maintain centralized logging for network device authentication events with sufficient retention for investigation.
- Use periodic control validation to confirm that failed authentication events from routers and switches are visible to detection and incident response teams.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Network Devices and describes authentication failure logs showing repeated use of default or common passwords across multiple accounts. No tactics, detection logic, related techniques, mitigations, or relationships were supplied, so this take frames validation and control priorities conservatively around the official description.
No official detection content or relationship context was provided. Local device models, logging capabilities, authentication architecture, and whether attempted password values are logged will determine how precisely this analytic can be implemented.
Analytic 1340
Authentication failure logs on routers/switches showing repeated use of default or common passwords across multiple accounts
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a87c584e8dcf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1340Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.