CWE · MITRE source
CWE-1390Weak Authentication
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Attackers may be able to bypass weak authentication faster and/or with less effort than expected.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (5)AI
Showing the 4 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-1 | Policy and Procedures | IA | The IA policy requires strong authentication methods, reducing use of weak authentication. |
IA-10 | Adaptive Authentication | IA | Enforces dynamic, context-aware authentication that mitigates weak static authentication by increasing requirements based on risk or conditions. |
IA-2 | Identification and Authentication (Organizational Users) | IA | Enforces authentication for users, reducing the viability of weak authentication mechanisms. |
AC-9 | Previous Logon Notification | AC | Helps detect exploitation of weak authentication mechanisms by notifying of previous unauthorized logons. |
Show 1 more broadly-applicable controls
IA-7 | Cryptographic Module Authentication | IA | Requires authentication mechanisms to meet applicable standards and guidelines, preventing weak authentication. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-40552 | 2.5 | 9.8 | 0.0855 | 2026-01-28 |
CVE-2025-40554 | 2.3 | 9.8 | 0.0629 | 2026-01-28 |
CVE-2022-43400 | 2.0 | 9.8 | 0.0119 | 2022-10-21 |
CVE-2023-49340 | 2.0 | 9.8 | 0.0026 | 2024-03-09 |
CVE-2024-13239 | 2.0 | 9.8 | 0.0043 | 2025-01-09 |
CVE-2025-1387 | 2.0 | 9.8 | 0.0061 | 2025-02-17 |
CVE-2024-54092 | 2.0 | 9.8 | 0.0048 | 2025-04-08 |
CVE-2025-39596 | 2.0 | 9.8 | 0.0028 | 2025-04-17 |
CVE-2025-12870 | 2.0 | 9.8 | 0.0014 | 2025-11-12 |
CVE-2025-12871 | 2.0 | 9.8 | 0.0023 | 2025-11-12 |
CVE-2025-63807 | 2.0 | 9.8 | 0.0011 | 2025-11-20 |
CVE-2023-53894 | 2.0 | 9.8 | 0.0050 | 2025-12-16 |
CVE-2025-30411 | 2.0 | 10.0 | 0.0005 | 2026-02-20 |
CVE-2025-30412 | 2.0 | 10.0 | 0.0005 | 2026-02-20 |
CVE-2026-28710 | 2.0 | 9.8 | 0.0010 | 2026-03-06 |
CVE-2026-6886 | 2.0 | 9.8 | 0.0019 | 2026-04-23 |
CVE-2024-34451 | 1.9 | 9.1 | 0.0069 | 2024-06-16 |
CVE-2024-38182 | 1.9 | 9.0 | 0.0201 | 2024-07-31 |
CVE-2025-27740 | 1.9 | 8.8 | 0.0171 | 2025-04-08 |
CVE-2024-29837 | 1.8 | 8.8 | 0.0020 | 2024-04-15 |
CVE-2024-36787 | 1.8 | 8.8 | 0.0002 | 2024-06-07 |
CVE-2024-39848 | 1.8 | 9.1 | 0.0007 | 2024-06-29 |
CVE-2024-45367 | 1.8 | 9.1 | 0.0013 | 2024-10-03 |
CVE-2024-49019 | 1.8 | 7.8 | 0.0483 | 2024-11-12 |
CVE-2024-48886 | 1.8 | 9.0 | 0.0056 | 2025-01-14 |