CWE · MITRE source
CWE-1263Improper Physical Access Control
The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.
Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how robust the design of the physical protection mechanism needs to be depends on the type of product being protected. Selecting the correct physical protection mechanism and properly enforcing it through implementation and manufacturing are critical to the overall physical security of the product.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (22)AI
Showing the 10 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
PE-10 | Emergency Shutoff | PE | Placement for authorized access and protection against unauthorized activation specifically address improper physical access control. |
PE-12 | Emergency Lighting | PE | Automatic emergency lighting ensures visibility on exits and evacuation routes during power outages, reducing an attacker's ability to exploit improper physical access controls by using darkness to navigate or access restricted areas. |
PE-16 | Delivery and Removal | PE | Directly implements authorization and control of physical items entering and exiting the facility to prevent improper physical access. |
MP-2 | Media Access | MP | Restricting access to media directly implements controls to prevent improper physical access to storage media. |
MP-4 | Media Storage | MP | Physically controlling and securely storing media directly implements proper physical access controls for system media. |
MP-7 | Media Use | MP | Prohibiting portable storage devices without identifiable owners is a direct physical access control measure limiting untraceable media interaction with systems. |
SC-41 | Port and I/O Device Access | SC | Reduces physical access attack surface by disabling physical ports and I/O devices. |
SC-48 | Sensor Relocation | SC | Physical or environmental sensor movement directly mitigates weaknesses in physical access control by eliminating fixed, tamperable, or avoidable sensor placements. |
MA-7 | Field Maintenance | MA | Field maintenance requires physical or on-site access, and restricting it mitigates improper physical access control. |
SR-10 | Inspection of Systems or Components | SR | Physical inspection directly detects tampering that occurs when physical access controls are absent or bypassed. |
Show 12 more broadly-applicable controls
PE-17 | Alternate Work Site | PE | Requiring documentation of allowed sites plus implementation and assessment of controls at alternate work sites directly prevents improper physical access to systems and data. |
PE-18 | Location of System Components | PE | Positioning components to minimize unauthorized physical access directly strengthens physical access controls and reduces exploitability of weaknesses allowing physical intrusion or tampering. |
PE-2 | Physical Access Authorizations | PE | This control directly develops, approves, maintains, reviews, and revokes physical facility access authorizations and credentials, preventing improper physical access control. |
PE-20 | Asset Monitoring and Tracking | PE | Asset location and movement monitoring detects unauthorized physical relocation or access to protected assets. |
PE-23 | Facility Location | PE | Selecting facility sites to avoid physical and environmental hazards directly reduces the exploitability of improper physical access controls. |
PE-3 | Physical Access Control | PE | Directly implements physical access authorizations, ingress/egress controls, visitor escorting, and key/combination management to prevent unauthorized physical entry. |
PE-4 | Access Control for Transmission | PE | Directly implements physical access restrictions to transmission lines and media, preventing unauthorized physical tampering or interception. |
PE-5 | Access Control for Output Devices | PE | Directly implements physical access controls on output devices to block unauthorized retrieval of their outputs. |
PE-6 | Monitoring Physical Access | PE | Direct monitoring, logging, and incident-response coordination for physical facility access tangibly detects and deters unauthorized entry or tampering that would exploit missing or weak physical access controls. |
PE-7 | Visitor Control | PE | Directly addresses physical access by mandating visitor registration, escorting, and logging to prevent unauthorized presence. |
PE-8 | Visitor Access Records | PE | Maintaining, reviewing, and reporting anomalies in visitor access records directly detects and deters exploitation of improper physical access controls to the facility containing the system. |
PE-9 | Power Equipment and Cabling | PE | Directly implements physical barriers, enclosures, and access restrictions that prevent unauthorized actors from reaching and damaging power equipment or cabling. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-48973 | 1.9 | 9.3 | 0.0012 | 2024-11-14 |
CVE-2023-38290 | 1.6 | 7.8 | 0.0005 | 2024-04-22 |
CVE-2024-36438 | 1.5 | 7.3 | 0.0003 | 2024-07-15 |
CVE-2024-28326 | 1.4 | 6.8 | 0.0010 | 2024-04-26 |
CVE-2025-8762 | 1.4 | 6.8 | 0.0002 | 2025-08-13 |
CVE-2025-4386 | 1.4 | 6.8 | 0.0002 | 2026-05-07 |
CVE-2022-32506 | 1.3 | 6.4 | 0.0005 | 2024-05-14 |
CVE-2024-39512 | 1.3 | 6.6 | 0.0015 | 2024-07-10 |
CVE-2022-3728 | 1.2 | 6.1 | 0.0013 | 2023-10-09 |
CVE-2022-48182 | 1.2 | 6.1 | 0.0013 | 2023-10-09 |
CVE-2022-48183 | 1.2 | 6.1 | 0.0013 | 2023-10-09 |
CVE-2025-59696 | 0.6 | 3.2 | 0.0002 | 2025-12-02 |
CVE-2025-6785 | 0.0 | 0.0 | 0.0003 | 2025-09-04 |