Cyber Posture

NIST 800-53 r5 · Controls catalogue · Family SC

SC-23Session Authenticity

Protect the authenticity of communications sessions.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (20)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-319Cleartext Transmission of Sensitive Information1,042Eliminates cleartext exposure of session identifiers or tokens that would allow hijacking.
CWE-290Authentication Bypass by Spoofing631Requires cryptographic or protocol-level verification that blocks spoofed session establishment or continuation.
CWE-346Origin Validation Error548Mandates origin validation so that only legitimate endpoints can continue the authenticated session.
CWE-384Session Fixation469Enforces proper session ID generation and binding, preventing fixation of a known session token.
CWE-294Authentication Bypass by Capture-replay264Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels.
CWE-300Channel Accessible by Non-Endpoint53Directly prevents non-endpoint access or interception of the session communication path.
CWE-614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute52Forces the Secure flag on session cookies, preventing their transmission over unauthenticated HTTP channels.
CWE-940Improper Verification of Source of a Communication Channel45Requires explicit verification of the communication source, blocking session hijacking via spoofed or alternate channels.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-239222.210.00.0372good
CVE-2026-277552.09.80.0015good
CVE-2025-632162.010.00.0016good
CVE-2025-251012.09.60.0124good
CVE-2023-539682.09.80.0058good
CVE-2025-253792.09.60.0085good
CVE-2024-132792.09.80.0018good
CVE-2025-636662.09.80.0010good
CVE-2026-307892.09.80.0017good
CVE-2018-253182.09.80.0016good
CVE-2026-359032.09.80.0002good
CVE-2026-251012.09.80.0006good
CVE-2026-32562.09.80.0002good
CVE-2018-253162.09.80.0016good
CVE-2025-409262.09.80.0007good
CVE-2026-307932.09.80.0004good
CVE-2026-243522.09.80.0002good
CVE-2026-237962.09.80.0006good
CVE-2025-671352.09.80.0002good
CVE-2025-526892.09.80.0078good
CVE-2024-511441.98.80.0312good
CVE-2025-251071.99.60.0014good
CVE-2026-396401.99.60.0002good
CVE-2026-404711.99.60.0002good
CVE-2025-251061.99.60.0010good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9