CWE · MITRE source
CWE-200Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include: Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include: Information exposures can occur in different ways: It is common practice to describe any loss of confidentiality as an "information exposure," but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (80)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
PM-1 | Information Security Program Plan | PM | Requiring protection of the program plan from unauthorized disclosure directly reduces exposure of sensitive security program details and control descriptions. |
PM-11 | Mission and Business Process Definition | PM | Explicitly requires identifying protection needs for sensitive information during process definition, making exposure to unauthorized actors less likely through better process design. |
PM-13 | Security and Privacy Workforce | PM | Trained staff understand data-handling requirements and are less likely to expose sensitive information through misconfiguration or poor design. |
SC-14 | Public Access Protections | SC | Limits disclosure of sensitive information by ensuring only authorized actors can reach it through public interfaces. |
SC-15 | Collaborative Computing Devices and Applications | SC | Prevents covert remote capture and exposure of audio/video streams to unauthorized actors. |
SC-16 | Transmission of Security and Privacy Attributes | SC | Associating security/privacy attributes with exchanged data enables receiving systems to enforce handling rules and avoid unauthorized disclosure. |
SI-11 | Error Handling | SI | Restricts error message visibility to authorized recipients, directly reducing unauthorized exposure of sensitive information. |
SI-15 | Information Output Filtering | SI | Filtering output to only permitted content stops unintended disclosure of sensitive information to unauthorized actors. |
SI-18 | Personally Identifiable Information Quality Operations | SI | Regular deletion of inaccurate or outdated PII directly reduces the volume of sensitive information retained that could be exposed. |
AC-15 | Automated Marking | AC | Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure. |
AC-16 | Security and Privacy Attributes | AC | Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels. |
AC-20 | Use of External Systems | AC | Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it. |
MP-1 | Policy and Procedures | MP | The media protection policy defines requirements and procedures to prevent unauthorized disclosure or access to sensitive information on media. |
MP-3 | Media Marking | MP | Media marking ensures sensitive information on removable or system media is handled according to its classification, reducing the chance of inadvertent exposure to unauthorized actors. |
MP-4 | Media Storage | MP | Secure storage and protection of media until destruction or sanitization prevents unauthorized actors from accessing sensitive information on the media. |
Show 65 more broadly-applicable controls
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information. |
PM-21 | Accounting of Disclosures | PM | Requiring detailed, requestable records of every PII disclosure directly aids detection of unauthorized exposures of sensitive information. |
PM-22 | Personally Identifiable Information Quality Management | PM | Policies requiring periodic review and deletion of inaccurate/outdated PII reduce the amount of sensitive information retained and therefore exposed. |
PM-23 | Data Governance Body | PM | Promotes data classification, handling, and protection policies that limit unauthorized exposure of sensitive information. |
PM-24 | Data Integrity Board | PM | Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems. |
PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | PM | Minimizing PII in testing/training/research directly reduces the volume of sensitive data present in environments where it could be exposed to unauthorized actors. |
PM-26 | Complaint Management | PM | Provides individuals an accessible, tracked channel to report exposures of sensitive information, prompting timely organizational review and remediation that shortens the window for exploitation. |
PM-27 | Privacy Reporting | PM | Privacy reports require tracking and disclosing unauthorized exposures of sensitive information, increasing detection risk for such weaknesses. |
PM-5 | System Inventory | PM | Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation. |
PM-8 | Critical Infrastructure Plan | PM | Privacy provisions in the plan reduce the chance that sensitive data held by critical infrastructure is left exposed to unauthorized actors. |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | SC | Internal/external role separation directly prevents external actors from obtaining sensitive internal host and network information via name resolution. |
SC-25 | Thin Nodes | SC | Minimal information storage directly reduces the quantity of sensitive data resident on the component that could be exposed. |
SC-26 | Decoys | SC | Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure. |
SC-28 | Protection of Information at Rest | SC | Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media. |
SC-30 | Concealment and Misdirection | SC | Concealment techniques directly prevent real sensitive data from being exposed to adversaries. |
SC-37 | Out-of-band Channels | SC | Out-of-band delivery transmits sensitive data on a separate path, directly reducing exposure to unauthorized actors on the primary channel. |
SC-38 | Operations Security | SC | Directly prevents exposure of critical organizational information by applying OPSEC processes across the SDLC. |
SC-40 | Wireless Link Protection | SC | Wireless link protection (encryption, directional transmission, etc.) directly prevents unauthorized actors from observing transmitted data. |
SC-42 | Sensor Capability and Data | SC | Requiring explicit sensor-use indication and prohibiting selected capabilities directly reduces covert collection and exposure of sensitive data captured by device sensors. |
SI-19 | De-identification | SI | De-identification directly prevents exposure of sensitive/PII data to unauthorized actors when datasets are released or shared. |
SI-20 | Tainting | SI | Tainting directly detects exfiltration resulting from exposure of sensitive information to unauthorized actors. |
SI-21 | Information Refresh | SI | Deleting information when no longer needed directly reduces the window during which sensitive data can be exposed to unauthorized actors. |
SI-23 | Information Fragmentation | SI | Fragmentation across systems ensures that exposure from any single component yields only incomplete information, directly reducing the impact of unauthorized disclosure. |
AC-21 | Information Sharing | AC | By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors. |
AC-22 | Publicly Accessible Content | AC | Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors. |
AC-23 | Data Mining Protection | AC | Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors. |
MP-5 | Media Transport | MP | Protecting and controlling media during external transport prevents exposure of sensitive information to unauthorized actors. |
MP-6 | Media Sanitization | MP | Sanitizing media before disposal or release out of control prevents sensitive information from remaining accessible to unauthorized actors who obtain the media. |
MP-8 | Media Downgrading | MP | Proper media downgrading process prevents sensitive information from remaining on media that is then accessible to lower-classification recipients. |
AU-13 | Monitoring for Information Disclosure | AU | Monitoring directly detects unauthorized disclosure of sensitive information, enabling response to exposures. |
AU-14 | Session Audit | AU | Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities. |
AU-16 | Cross-organizational Audit Logging | AU | Coordinating audit logging across organizational boundaries reduces the risk of sensitive audit data being exposed to unauthorized actors during transmission. |
AU-6 | Audit Record Review, Analysis, and Reporting | AU | Audit record review and analysis can detect unauthorized exposure or access to sensitive information. |
AU-9 | Protection of Audit Information | AU | Protecting audit information prevents exposure of sensitive data contained within logs to unauthorized actors. |
RA-10 | Threat Hunting | RA | Hunting tracks data exfiltration or unauthorized disclosure of sensitive information as a key threat indicator. |
RA-2 | Security Categorization | RA | Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented. |
RA-3 | Risk Assessment | RA | Explicit evaluation of disclosure risks from sensitive data processing drives controls that reduce exposure to unauthorized actors. |
RA-6 | Technical Surveillance Countermeasures Survey | RA | TSCM surveys directly detect and remove covert collection devices that would otherwise expose sensitive information to unauthorized actors. |
RA-8 | Privacy Impact Assessments | RA | The assessment process surfaces design decisions that could expose sensitive (including PII) data to unauthorized actors, prompting controls that reduce such exposure. |
PT-1 | Policy and Procedures | PT | Explicit policy scope and review cycles make improper disclosure of sensitive PII less likely to occur or persist. |
PT-2 | Authority to Process Personally Identifiable Information | PT | Limits PII handling to authorized authority, making unauthorized exposure of sensitive information less likely. |
PT-7 | Specific Categories of Personally Identifiable Information | PT | Requiring organization-defined processing conditions on specific PII categories directly reduces the chance that personal data will be exposed to unauthorized actors. |
PT-8 | Computer Matching Requirements | PT | Reduces unauthorized exposure of sensitive information by requiring formal controls, public notice, and due-process steps around all matching activities. |
CM-12 | Information Location | CM | Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data. |
CM-13 | Data Action Mapping | CM | A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer. |
CM-9 | Configuration Management Plan | CM | Protects the configuration management plan from unauthorized disclosure, reducing exposure of sensitive system details. |
CP-2 | Contingency Plan | CP | Mandates protection of the contingency plan against unauthorized disclosure, reducing exposure of sensitive recovery and operational information. |
CP-6 | Alternate Storage Site | CP | Requiring equivalent controls at the alternate storage site prevents unauthorized exposure of sensitive backup data. |
CP-9 | System Backup | CP | Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups. |
IR-10 | Integrated Information Security Analysis Team | IR | The integrated analysis team enables faster detection and containment of incidents involving unauthorized exposure of sensitive information, limiting attacker success in exploiting such weaknesses. |
IR-8 | Incident Response Plan | IR | Protecting the incident response plan from unauthorized disclosure prevents exposure of sensitive organizational details and response procedures to unauthorized actors. |
IR-9 | Information Spillage Response | IR | The control's identification, isolation, alerting, and eradication steps directly limit the impact and exploitation window of unauthorized sensitive information exposure. |
PE-17 | Alternate Work Site | PE | Assessing control effectiveness and providing incident communication channels at alternate sites reduces the likelihood of sensitive information exposure to unauthorized actors. |
PE-19 | Information Leakage | PE | Shielding or other emanation protections directly prevent sensitive information from reaching unauthorized actors via electromagnetic signals. |
PE-5 | Access Control for Output Devices | PE | Reduces the ability of an unauthorized actor to obtain sensitive information that has been rendered to a physical output device. |
AT-2 | Literacy Training and Awareness | AT | Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information. |
AT-4 | Training Records | AT | Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge. |
PL-2 | System Security and Privacy Plans | PL | Requires explicit protection of plans from unauthorized disclosure, directly reducing exposure of sensitive system and privacy information contained in them. |
PL-8 | Security and Privacy Architectures | PL | Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle. |
SR-12 | Component Disposal | SR | Secure disposal techniques directly prevent sensitive data from becoming accessible to unauthorized actors after components leave organizational control. |
SR-7 | Supply Chain Operations Security | SR | OPSEC controls directly protect supply chain information from unauthorized observation or disclosure. |
CA-8 | Penetration Testing | CA | Penetration testing attempts to access or extract sensitive data, revealing exposure of sensitive information to unauthorized actors. |
IA-6 | Authentication Feedback | IA | Obscuring authentication feedback prevents exposure of sensitive information such as valid usernames or failure reasons to unauthorized actors. |
MA-2 | Controlled Maintenance | MA | Sanitizing equipment to remove specified information before off-site maintenance prevents exposure of sensitive information to unauthorized actors such as external maintenance personnel. |
SA-6 | Software Usage Restrictions | SA | P2P usage restrictions directly reduce unauthorized external exposure of sensitive or copyrighted information. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-41277 KEV | 9.7 | 10.0 | 0.9435 | 2021-11-17 |
CVE-2023-49103 KEV | 9.7 | 10.0 | 0.9433 | 2023-11-21 |
CVE-2024-24919 KEV | 9.4 | 8.6 | 0.9434 | 2024-05-28 |
CVE-2016-6415 KEV | 9.1 | 7.5 | 0.9314 | 2016-09-19 |
CVE-2023-28432 KEV | 9.1 | 7.5 | 0.9400 | 2023-03-22 |
CVE-2025-31125 KEV | 8.0 | 5.3 | 0.8210 | 2025-03-31 |
CVE-2008-0655 KEV | 7.8 | 8.8 | 0.6729 | 2008-02-07 |
CVE-2020-3259 KEV | 7.7 | 7.5 | 0.6973 | 2020-05-06 |
CVE-2021-27850 | 7.6 | 9.8 | 0.9422 | 2021-04-15 |
CVE-2018-0127 | 7.5 | 9.8 | 0.9154 | 2018-02-08 |
CVE-2018-12634 | 7.5 | 9.8 | 0.9245 | 2018-06-22 |
CVE-2018-7251 | 7.4 | 9.8 | 0.9060 | 2018-02-19 |
CVE-2018-1000600 | 7.4 | 8.8 | 0.9351 | 2018-06-26 |
CVE-2017-11165 | 7.3 | 9.8 | 0.8982 | 2017-07-12 |
CVE-2016-2388 KEV | 7.1 | 5.3 | 0.6775 | 2016-02-16 |
CVE-2018-3760 | 7.1 | 7.5 | 0.9389 | 2018-06-26 |
CVE-2024-45388 | 7.1 | 7.5 | 0.9363 | 2024-09-02 |
CVE-2024-46938 | 7.1 | 7.5 | 0.9343 | 2024-09-15 |
CVE-2025-11749 | 7.1 | 9.8 | 0.8539 | 2025-11-05 |
CVE-2015-2080 | 7.0 | 7.5 | 0.9241 | 2016-10-07 |
CVE-2017-12616 | 7.0 | 7.5 | 0.9139 | 2017-09-19 |
CVE-2018-8033 | 7.0 | 7.5 | 0.9219 | 2018-12-13 |
CVE-2021-32819 | 7.0 | 8.0 | 0.8962 | 2021-05-14 |
CVE-2024-3656 | 7.0 | 8.1 | 0.8966 | 2024-10-09 |
CVE-2016-10175 | 6.9 | 9.8 | 0.8161 | 2017-01-30 |