NIST 800-53 r5 · Controls catalogue · Family IA
IA-11Re-authentication
Require users to re-authenticate when {{ insert: param, ia-11_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (7)
- T1110 Brute Force Credential Access
- T1110.001 Password Guessing Credential Access
- T1110.002 Password Cracking Credential Access
- T1110.003 Password Spraying Credential Access
- T1110.004 Credential Stuffing Credential Access
- T1556.006 Multi-Factor Authentication Defense Impairment, Persistence, Credential Access
- T1556.007 Hybrid Identity Defense Impairment, Persistence, Credential Access
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-352 | Cross-Site Request Forgery (CSRF) | 10,337 | Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Re-authentication enforces fresh credential validation for critical functions or operations as defined by the organization parameter. |
CWE-613 | Insufficient Session Expiration | 606 | Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions. |
CWE-384 | Session Fixation | 469 | Re-authentication typically forces issuance of a new session, limiting the window for exploitation of a previously fixed session identifier. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-0070 | 2.0 | 9.9 | 0.0016 | good |
CVE-2026-33124 | 1.8 | 8.8 | 0.0005 | good |
CVE-2024-53406 | 1.8 | 8.8 | 0.0005 | good |
CVE-2026-24440 | 1.8 | 8.8 | 0.0006 | good |
CVE-2026-40588 | 1.6 | 8.1 | 0.0003 | good |
CVE-2023-53968 | 2.0 | 9.8 | 0.0058 | good |
CVE-2026-35903 | 2.0 | 9.8 | 0.0002 | good |
CVE-2024-54530 | 1.8 | 9.1 | 0.0017 | partial |
CVE-2025-1941 | 1.8 | 9.1 | 0.0007 | good |
CVE-2026-27939 | 1.8 | 8.8 | 0.0002 | good |
CVE-2026-24443 | 1.8 | 8.8 | 0.0002 | good |
CVE-2025-69634 | 1.8 | 9.0 | 0.0006 | partial |
CVE-2025-55147 | 1.8 | 8.8 | 0.0038 | partial |
CVE-2026-4924 | 1.6 | 8.2 | 0.0005 | good |
CVE-2026-33649 | 1.6 | 8.1 | 0.0004 | good |
CVE-2025-25928 | 1.6 | 8.0 | 0.0021 | partial |
CVE-2026-42432 | 1.6 | 7.8 | 0.0002 | good |
CVE-2026-35625 | 1.6 | 7.8 | 0.0004 | good |
CVE-2026-42084 | 1.6 | 8.1 | 0.0003 | good |
CVE-2026-29132 | 1.5 | 7.5 | 0.0004 | good |
CVE-2024-34896 | 1.5 | 7.5 | 0.0031 | partial |
CVE-2025-25068 | 1.5 | 7.5 | 0.0005 | good |
CVE-2026-26342 | 2.0 | 9.8 | 0.0041 | partial |
CVE-2025-30430 | 2.0 | 9.8 | 0.0052 | partial |
CVE-2025-25379 | 2.0 | 9.6 | 0.0085 | partial |