A big potential vulnerability is also one of the easiest to resolve: default passwords. Default passwords are set by the manufacturer when a device or system is build. They are well documentet and provided to the final consumer of the product and is intended to be changed. However, not all users or businesses get around to taking this step and hence they leave themselves vulnerable. The reality is that with a bit of scanning and investigation, an attacker can make some educated guesses about what equipment or devices the target may be running. If they can determine that the target organization has not changed the defaults, they can look up the default password in a quick google search and most likely find it on the first GSRP.