NIST 800-53 r5 · Controls catalogue · Family AC
AC-25Reference Monitor
Implement a reference monitor for {{ insert: param, ac-25_odp }} that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Always invoking the reference monitor prevents missing authorization checks for protected resources. |
CWE-284 | Improper Access Control | 4,832 | Provides a tamperproof, always-invoked, and verifiable mechanism to enforce access control policies. |
CWE-863 | Incorrect Authorization | 3,234 | The small, testable reference monitor reduces the likelihood of incorrect authorization implementations. |
CWE-269 | Improper Privilege Management | 2,907 | Enforces proper privilege management by requiring all decisions through the verified reference monitor. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Guarantees critical functions are protected by mandatory invocation of the access control mechanism. |
CWE-285 | Improper Authorization | 1,230 | Ensures authorization decisions are always performed by a complete and analyzable reference monitor. |
CWE-693 | Protection Mechanism Failure | 476 | Implements a reliable, tamperproof protection mechanism whose completeness can be assured. |
CWE-425 | Direct Request ('Forced Browsing') | 255 | Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-24178 | 2.0 | 9.8 | 0.0067 | good |
CVE-2025-43261 | 2.0 | 9.8 | 0.0025 | good |
CVE-2026-35666 | 1.8 | 8.8 | 0.0005 | good |
CVE-2026-29648 | 1.8 | 8.8 | 0.0004 | good |
CVE-2026-33631 | 1.7 | 8.7 | 0.0002 | good |
CVE-2026-24222 | 1.7 | 8.6 | 0.0006 | good |
CVE-2025-0359 | 1.7 | 8.5 | 0.0011 | good |
CVE-2026-35570 | 1.7 | 8.4 | 0.0001 | good |
CVE-2026-0008 | 1.7 | 8.4 | 0.0001 | good |
CVE-2026-41296 | 1.6 | 8.2 | 0.0003 | good |
CVE-2026-28817 | 1.6 | 8.1 | 0.0001 | good |
CVE-2025-25500 | 1.6 | 7.5 | 0.0092 | good |
CVE-2026-33632 | 1.6 | 7.8 | 0.0001 | good |
CVE-2025-69783 | 1.6 | 7.8 | 0.0001 | good |
CVE-2024-53841 | 1.6 | 7.8 | 0.0001 | good |
CVE-2026-37525 | 1.6 | 7.8 | 0.0001 | good |
CVE-2026-23989 | 1.6 | 8.2 | 0.0002 | good |
CVE-2025-35998 | 1.6 | 7.9 | 0.0001 | good |
CVE-2026-32988 | 1.5 | 7.5 | 0.0001 | good |
CVE-2026-40968 | 0.8 | 4.2 | 0.0003 | good |
CVE-2025-71257 | 2.4 | 7.3 | 0.1557 | good |
CVE-2024-55968 | 2.4 | 8.8 | 0.1048 | good |
CVE-2024-44373 | 2.1 | 9.8 | 0.0157 | good |
CVE-2026-23830 | 2.0 | 10.0 | 0.0020 | good |
CVE-2025-24238 | 2.0 | 9.8 | 0.0081 | good |