CWE · MITRE source
CWE-284Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Access control involves the use of several protection mechanisms such as: When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses:
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (168)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-1 | Policy and Procedures | SC | Establishes organizational policy defining roles, responsibilities, and compliance for system and communications protection, tangibly strengthening access control enforcement. |
SC-14 | Public Access Protections | SC | Directly requires mechanisms to restrict public users from unauthorized actions on system resources. |
SC-15 | Collaborative Computing Devices and Applications | SC | Directly enforces access control by prohibiting unauthorized remote activation of cameras, mics, and similar devices. |
PM-1 | Information Security Program Plan | PM | Mandating protection of the plan from unauthorized access and modification enforces access control on this organization-wide security governance artifact. |
PM-10 | Authorization Process | PM | Formal authorization processes require review and approval of access control mechanisms before systems are permitted to operate, directly reducing the likelihood of improper access control weaknesses reaching production. |
PM-11 | Mission and Business Process Definition | PM | Requires explicit consideration of information security risks when defining processes, which tangibly drives proper access control requirements into those processes. |
AC-1 | Policy and Procedures | AC | The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization. |
AC-11 | Device Lock | AC | Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions. |
AC-13 | Supervision and Review — Access Control | AC | Supervision and review of access control activities directly detects and remediates improper access configurations or usages. |
SA-11 | Developer Testing and Evaluation | SA | Explicit security control assessments verify proper access control enforcement, detecting weaknesses that the flaw remediation process then eliminates. |
SA-14 | Criticality Analysis | SA | The analysis highlights critical resources that require strong access-control enforcement, thereby reducing the chance that improper access control will be present on those resources. |
SA-16 | Developer-provided Training | SA | Explicit training on access control mechanisms and their operation makes improper access control harder to introduce via misconfiguration. |
CM-1 | Policy and Procedures | CM | Defines roles, responsibilities, and access rules for configuration management activities, making improper access to configuration resources harder to exploit. |
CM-11 | User-installed Software | CM | This control establishes and enforces policies that restrict which users can install software and what software is permitted. |
CM-12 | Information Location | CM | Identifying users with access to specific system components supports enforcement of proper access controls on information. |
Show 153 more broadly-applicable controls
SC-16 | Transmission of Security and Privacy Attributes | SC | Transmitting bound security attributes preserves access-control context across system boundaries, directly reducing improper access control. |
SC-19 | Voice Over Internet Protocol | SC | Authorizing and controlling VoIP use directly enforces access control decisions over a distinct communication technology. |
SC-2 | Separation of System and User Functionality | SC | Explicit separation implements access control boundaries between user interfaces and system management functionality. |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | SC | Role separation implements access control boundaries between internal and external name resolution services. |
SC-26 | Decoys | SC | Decoy resources detect and deflect attempts to bypass access controls by attracting and monitoring attackers on fake assets. |
SC-27 | Platform-independent Applications | SC | Sandboxing and security contexts provided by platform-independent runtimes add an enforceable access-control boundary that is independent of the host OS. |
SC-3 | Security Function Isolation | SC | By design the control implements a hard boundary that prevents unauthorized actors or non-security functions from reaching security-critical resources or entry points. |
SC-32 | System Partitioning | SC | Enforces separation of domains that reduces the ability to bypass or violate access control boundaries. |
SC-34 | Non-modifiable Executable Programs | SC | Hardware-enforced read-only media directly implements strong access control preventing any modification of executables. |
SC-36 | Distributed Processing and Storage | SC | Distribution forces an attacker to compromise multiple independent components rather than a single centralized target, directly reducing the impact of access control failures. |
SC-39 | Process Isolation | SC | Maintaining distinct execution domains directly implements access-control separation between processes, blocking unauthorized cross-process access. |
SC-41 | Port and I/O Device Access | SC | Disabling or removing ports and I/O devices directly enforces hardware-level access control by eliminating entry points. |
SC-42 | Sensor Capability and Data | SC | Prohibiting specific sensor capabilities implements an access-control policy on hardware resources that would otherwise be freely usable by unauthorized software. |
SC-43 | Usage Restrictions | SC | Requiring authorization, monitoring, and control of component use directly enforces access control decisions on system resources. |
SC-46 | Cross Domain Policy Enforcement | SC | Cross-domain policy enforcement implements mandatory access control at domain boundaries, directly preventing unauthorized interactions across security domains. |
SC-48 | Sensor Relocation | SC | Dynamic relocation of sensors directly strengthens access control enforcement by removing predictable monitoring gaps that attackers could otherwise map and evade. |
SC-49 | Hardware-enforced Separation and Policy Enforcement | SC | Hardware-enforced separation directly implements strong access control boundaries that software alone cannot bypass. |
SC-50 | Software-enforced Separation and Policy Enforcement | SC | Directly implements software-enforced boundaries that prevent unauthorized access across separated components or domains. |
SC-51 | Hardware-based Protection | SC | Hardware write-protect enforces access control on critical resources (e.g., firmware) independent of software state. |
SC-7 | Boundary Protection | SC | Boundary devices and interface controls directly enforce network-level access restrictions between spheres. |
PM-12 | Insider Threat Program | PM | Program provides ongoing monitoring and handling of access-control violations that insiders could otherwise exploit undetected. |
PM-13 | Security and Privacy Workforce | PM | Security training teaches correct access-control models and enforcement, lowering the incidence of improper access control. |
PM-14 | Testing, Training, and Monitoring | PM | Ongoing testing, training, and monitoring plans verify that access-control enforcement remains effective and aligned with risk priorities. |
PM-18 | Privacy Program Plan | PM | The mandated organization-wide privacy program plan requires identification and assignment of privacy controls (including access restrictions on PII) plus explicit role accountability, directly reducing the likelihood of missing or inconsistently applied access-control mechanisms. |
PM-19 | Privacy Program Leadership Role | PM | Senior privacy official has authority to implement and enforce access controls protecting personal information across the organization. |
PM-2 | Information Security Program Leadership Role | PM | The appointed officer coordinates development and maintenance of access control policies and oversight across the enterprise. |
PM-21 | Accounting of Disclosures | PM | Accurate accounting of disclosures presupposes and thereby incentivizes proper access-control enforcement; gaps become visible when individuals review their records. |
PM-23 | Data Governance Body | PM | Data governance body defines and oversees organizational access control policies for data resources, reducing improper access control. |
PM-24 | Data Integrity Board | PM | Board oversight enforces proper access-control decisions before cross-agency data matching occurs, reducing improper access to protected records. |
PM-26 | Complaint Management | PM | Enables users to surface and force remediation of improper access-control decisions in security practices, directly reducing the persistence of exploitable authorization gaps. |
PM-27 | Privacy Reporting | PM | Accountability reporting on privacy mandates surfaces improper access control violations over personal data during compliance reviews. |
PM-29 | Risk Management Program Leadership Roles | PM | Appointed accountable official aligns access control decisions with strategic risk processes, reducing systemic improper access control. |
PM-3 | Information Security and Privacy Resources | PM | Resources allocated to security programs enable proper design, implementation, and maintenance of access control mechanisms. |
PM-32 | Purposing | PM | Periodic purpose analysis directly detects and corrects access control decisions that permit use outside the defined mission function. |
PM-4 | Plan of Action and Milestones Process | PM | POA&M process requires documented remedial actions and tracking for identified access control deficiencies until resolved per risk priorities. |
PM-5 | System Inventory | PM | Complete system listing is a prerequisite for applying and verifying access controls across the entire organizational boundary. |
PM-7 | Enterprise Architecture | PM | Enterprise architecture defines overarching access control models, boundaries, and trust zones that directly prevent improper access control weaknesses. |
PM-8 | Critical Infrastructure Plan | PM | A CIKR protection plan that explicitly addresses information security requires defining and enforcing access control policies on critical systems and resources. |
PM-9 | Risk Management Strategy | PM | Risk management strategy defines organization-wide access control policies and risk acceptance, directly reducing improper access control weaknesses. |
AC-14 | Permitted Actions Without Identification or Authentication | AC | Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions. |
AC-15 | Automated Marking | AC | By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses. |
AC-16 | Security and Privacy Attributes | AC | Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission. |
AC-17 | Remote Access | AC | Requiring prior authorization for each remote access type prevents improper access control over remote connections. |
AC-18 | Wireless Access | AC | Requiring authorization of wireless access before allowing connections enforces proper access control for this access method. |
AC-19 | Access Control for Mobile Devices | AC | Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems. |
AC-2 | Account Management | AC | Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used. |
AC-20 | Use of External Systems | AC | Enforces rules governing access to the system and its data from external systems based on established trust relationships. |
AC-21 | Information Sharing | AC | This control requires verifying that a sharing partner's access authorizations match the information's restrictions before sharing occurs. |
AC-22 | Publicly Accessible Content | AC | Designating authorized individuals and mandating pre/post-publication reviews enforces access controls on who can publish content publicly. |
AC-23 | Data Mining Protection | AC | Provides monitoring and protection against data mining patterns that exploit improper access controls to extract data. |
AC-24 | Access Control Decisions | AC | Ensuring access control decisions are made and applied to every request before enforcement directly prevents improper access control by requiring policy-based checks. |
AC-25 | Reference Monitor | AC | Provides a tamperproof, always-invoked, and verifiable mechanism to enforce access control policies. |
AC-3 | Access Enforcement | AC | Enforcing approved authorizations directly implements access control policies to block unauthorized access. |
AC-4 | Information Flow Enforcement | AC | Enforcing approved authorizations for information flows directly implements access control over data movements within and between systems. |
AC-5 | Separation of Duties | AC | Defining authorizations to support separation of duties strengthens overall access control by preventing unauthorized combinations of actions within a single account. |
AC-6 | Least Privilege | AC | Supports proper access control through restriction to only authorized necessary accesses. |
AC-8 | System Use Notification | AC | Requiring explicit acknowledgment of the notification before granting access enforces a mandatory step in the access process, reducing the ability to exploit improper access control weaknesses. |
SA-17 | Developer Security and Privacy Architecture and Design | SA | Requires explicit allocation of controls to physical and logical components, directly preventing architectural gaps in access enforcement. |
SA-18 | Tamper Resistance and Detection | SA | Tamper resistance mechanisms directly enforce access control boundaries to prevent unauthorized modification of hardware, firmware, or software. |
SA-23 | Specialization | SA | Purpose-built components enable tighter, function-specific access-control enforcement that is harder to bypass than controls on general-purpose platforms. |
SA-24 | Design For Cyber Resiliency | SA | Resiliency goals and objectives routinely incorporate least-privilege and access-control maintenance under adverse conditions, reducing improper access control. |
SA-3 | System Development Life Cycle | SA | Defining security roles/responsibilities and integrating risk management into the SDLC directly reduces improper access control by ensuring access decisions are designed and reviewed throughout development. |
SA-5 | System Documentation | SA | Guidance on effective use of access control mechanisms and known configuration vulnerabilities makes improper access control harder to exploit. |
SA-7 | User-installed Software | SA | Implements authorization checks and policies that prevent unauthorized software installation. |
SA-8 | Security and Privacy Engineering Principles | SA | Complete-mediation and least-privilege principles ensure proper access-control design and enforcement. |
SA-9 | External System Services | SA | Requiring external providers to implement and be monitored against organizational access-control requirements directly reduces the likelihood of improper access control across trust boundaries. |
CM-13 | Data Action Mapping | CM | Mapping data actions reveals potential improper access controls by showing who can perform actions on data. |
CM-2 | Baseline Configuration | CM | Baseline includes documented access control settings that are reviewed and maintained, reducing the ability to exploit improper access control. |
CM-3 | Configuration Change Control | CM | Enforces access controls and oversight on who can propose, approve, or implement configuration modifications. |
CM-4 | Impact Analyses | CM | Prior analysis ensures modifications do not create or worsen improper access control enforcement. |
CM-5 | Access Restrictions for Change | CM | Enforcing physical and logical access restrictions for system changes directly prevents unauthorized actors from modifying the system. |
CM-6 | Configuration Settings | CM | Restrictive configuration settings implement and enforce proper access controls on system components. |
CM-7 | Least Functionality | CM | Restricting available functions and services reduces the attack surface and enforces proper access control boundaries. |
CM-9 | Configuration Management Plan | CM | Explicitly requires protecting the configuration management plan from unauthorized disclosure and modification. |
PS-1 | Policy and Procedures | PS | The policy establishes consistent rules for granting, reviewing, and revoking access based on personnel status, tangibly limiting improper access control. |
PS-2 | Position Risk Designation | PS | Screening criteria tied to position sensitivity limit the set of individuals who can be granted access, shrinking the attack surface for improper access control weaknesses. |
PS-3 | Personnel Screening | PS | Personnel screening before access authorization directly strengthens access control decisions and reduces the chance that unvetted individuals can exploit improper access control weaknesses. |
PS-4 | Personnel Termination | PS | Disabling all system access and revoking credentials upon termination directly prevents improper access control by former personnel. |
PS-5 | Personnel Transfer | PS | Ensures access authorizations are updated on transfer so that access control remains aligned with current need rather than retained inappropriately. |
PS-6 | Access Agreements | PS | Requiring signed access agreements before any access is granted adds a mandatory procedural gate that directly prevents improper or premature access provisioning. |
PS-7 | External Personnel Security | PS | Establishes and monitors access-control requirements specifically for external personnel holding organizational credentials or privileges. |
PS-8 | Personnel Sanctions | PS | Reduces insider exploitation of access-control weaknesses through enforceable consequences for policy non-compliance. |
PS-9 | Position Descriptions | PS | Clear role definitions in position descriptions are a prerequisite for implementing and enforcing proper access control decisions. |
CA-1 | Policy and Procedures | CA | The policy defines roles, responsibilities, and management commitment for authorization and monitoring, establishing formal access controls over these security functions. |
CA-2 | Control Assessments | CA | Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation. |
CA-3 | Information Exchange | CA | Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems. |
CA-4 | Security Certification | CA | Certification requires independent assessment confirming access controls are implemented correctly and effective. |
CA-5 | Plan of Action and Milestones | CA | Weaknesses in access control are explicitly planned for remediation based on assessments, directly reducing unauthorized access risks. |
CA-6 | Authorization | CA | Requires formal authorization of the system and inherited controls before operation, ensuring access control mechanisms are reviewed and approved. |
CA-8 | Penetration Testing | CA | Penetration testing simulates unauthorized access attempts, directly detecting and enabling remediation of improper access control weaknesses. |
CA-9 | Internal System Connections | CA | Authorizing and reviewing internal connections enforces proper access control over system interfaces. |
PE-1 | Policy and Procedures | PE | The policy defines and enforces restrictions on physical access to resources, directly reducing improper access control. |
PE-10 | Emergency Shutoff | PE | The control directly implements access restrictions on the emergency shutoff mechanism to prevent unauthorized use. |
PE-16 | Delivery and Removal | PE | Enforces physical access controls on deliveries and removals to prevent unauthorized access to the facility and system components. |
PE-17 | Alternate Work Site | PE | Mandating and assessing controls at alternate sites enforces proper access control mechanisms that would otherwise be absent or weak in uncontrolled remote locations. |
PE-23 | Facility Location | PE | Facility siting decisions that account for physical hazards strengthen overall access control by limiting unauthorized physical entry vectors. |
PE-4 | Access Control for Transmission | PE | Enforces physical-layer access control on transmission resources, reducing the ability to reach or manipulate them outside intended boundaries. |
PE-7 | Visitor Control | PE | Visitor control enforces physical entry restrictions and monitoring, directly reducing improper access to facilities and resources. |
PE-9 | Power Equipment and Cabling | PE | Reduces the attack surface for physical tampering or destruction of a critical system resource by enforcing environmental and access protections around power infrastructure. |
RA-1 | Policy and Procedures | RA | Risk assessment policy requires systematic evaluation of access control decisions, reducing the likelihood that improper access control remains unaddressed. |
RA-10 | Threat Hunting | RA | Threat hunting directly searches for indicators of unauthorized access or control violations that bypassed preventive mechanisms. |
RA-2 | Security Categorization | RA | Security categorization determines the impact level that drives selection of appropriate access-control baselines. |
RA-3 | Risk Assessment | RA | Risk assessment explicitly identifies threats from unauthorized access and drives decisions to implement or strengthen access control mechanisms. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Scans identify improper access control implementations and missing protections on system resources. |
RA-7 | Risk Response | RA | Findings of improper access control are routine outputs of audits and assessments; mandated response ensures the weaknesses are corrected before they can be exploited at scale. |
RA-8 | Privacy Impact Assessments | RA | PIAs require evaluation of access control needs for PII, resulting in stronger restrictions that make unauthorized access harder to exploit. |
RA-9 | Criticality Analysis | RA | Criticality analysis identifies components/functions requiring strict access control enforcement, directly reducing improper access control exposure. |
PL-1 | Policy and Procedures | PL | Policy that assigns roles, responsibilities, and compliance requirements provides the foundation for consistent access-control decisions across the organization. |
PL-11 | Baseline Tailoring | PL | Tailoring selects and adjusts the precise set of access-control baselines and compensating controls required for the system, directly reducing improper access control exposure. |
PL-2 | System Security and Privacy Plans | PL | Mandates defining roles/responsibilities, security categorization, and controls (including authorization) while protecting plans from unauthorized modification. |
PL-4 | Rules of Behavior | PL | Documented and acknowledged rules define permitted access, reducing improper access control by establishing clear behavioral boundaries and accountability. |
PL-7 | Concept of Operations | PL | CONOPS describes the organization's intended security and privacy operating model, including access-control concepts, making systemic improper access control less likely to persist undetected. |
PL-8 | Security and Privacy Architectures | PL | Architectures explicitly define requirements and mechanisms for access control to protect confidentiality, integrity, and availability. |
PL-9 | Central Management | PL | Central management enforces consistent access-control policies across systems, reducing the likelihood of missing or inconsistent enforcement. |
PT-1 | Policy and Procedures | PT | The policy defines roles, responsibilities, and compliance requirements that establish and govern access controls for PII. |
PT-2 | Authority to Process Personally Identifiable Information | PT | Requires documented authority and explicit restriction of PII processing to only authorized actions, directly mitigating improper access control. |
PT-3 | Personally Identifiable Information Processing Purposes | PT | Implements purpose-based restrictions that serve as an access control mechanism on PII handling and disclosure. |
PT-4 | Consent | PT | Consent enforcement adds an explicit access-control gate before any PII processing can occur. |
PT-5 | Privacy Notice | PT | Requiring explicit identification of the authorizing authority and processing purposes in a publicly available notice increases accountability and makes covert improper access control decisions harder to sustain. |
PT-8 | Computer Matching Requirements | PT | Requires Data Integrity Board approval and formal matching agreements before any cross-system data processing occurs, directly enforcing access control on sensitive matching activities. |
CP-10 | System Recovery and Reconstitution | CP | Recovery to a known state reverts unauthorized changes to access control mechanisms after compromise. |
CP-13 | Alternative Security Mechanisms | CP | Alternative mechanisms sustain access control enforcement even if the primary access control implementation is unavailable or compromised. |
CP-2 | Contingency Plan | CP | Requires protecting the contingency plan from unauthorized disclosure and modification, directly necessitating implementation of access controls on this critical document. |
CP-6 | Alternate Storage Site | CP | Mandating equivalent access controls ensures the alternate site does not introduce improper access control weaknesses for backups. |
CP-9 | System Backup | CP | Protecting CIA of backups requires access controls to prevent unauthorized access, modification, or deletion. |
MA-2 | Controlled Maintenance | MA | Approving and monitoring all maintenance activities prevents improper access control by restricting unauthorized personnel from performing maintenance on system components. |
MA-3 | Maintenance Tools | MA | Approving, controlling, and monitoring maintenance tool use directly enforces authorization and access restrictions over privileged maintenance functions. |
MA-4 | Nonlocal Maintenance | MA | Approving and monitoring nonlocal maintenance per policy enforces access control over remote diagnostic activities. |
MA-5 | Maintenance Personnel | MA | Establishes authorization processes, verification, and supervision to prevent unauthorized access during maintenance activities. |
MA-7 | Field Maintenance | MA | Restricting field maintenance directly enforces access control over who can interact with or modify the system in uncontrolled environments. |
MP-1 | Policy and Procedures | MP | Policy and procedures establish documented access controls and responsibilities for media, reducing improper access. |
MP-2 | Media Access | MP | The control enforces access restrictions on media, directly mitigating improper access control weaknesses. |
MP-3 | Media Marking | MP | Markings provide explicit guidance on distribution limits and handling caveats, directly supporting enforcement of access controls for physical and logical media. |
MP-5 | Media Transport | MP | Restricting transport activities to authorized personnel directly enforces proper access control over system media. |
MP-7 | Media Use | MP | This control enforces ownership-based restrictions on portable storage device use, directly implementing access control over media insertion into organizational systems. |
AT-1 | Policy and Procedures | AT | The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited. |
AT-2 | Literacy Training and Awareness | AT | Training covers access control policies and the consequences of improper access grants or usage by users. |
AT-3 | Role-based Training | AT | Security training teaches access control policies and enforcement, reducing improper access control implementations. |
AT-4 | Training Records | AT | Documenting role-based training completion allows verification that only trained individuals receive or retain access, making improper access control harder to exploit through untrained personnel. |
SI-1 | Policy and Procedures | SI | Integrity policy and procedures explicitly define and assign responsibilities for access control enforcement, directly reducing unauthorized modification risks. |
SI-23 | Information Fragmentation | SI | Compromise of access control on any one system or component still leaves an attacker with only a useless fragment, limiting the practical exploitability of the weakness. |
SI-4 | System Monitoring | SI | Directly detects unauthorized local/network/remote connections and system use that result from improper access control. |
SI-9 | Information Input Restrictions | SI | Directly enforces access control by limiting input capability exclusively to authorized personnel. |
AU-14 | Session Audit | AU | Provides capability to review session content, directly detecting violations of access control. |
AU-6 | Audit Record Review, Analysis, and Reporting | AU | System audit review detects violations of access controls by identifying unauthorized access attempts. |
AU-9 | Protection of Audit Information | AU | The control directly enforces access controls to prevent unauthorized access, modification, or deletion of audit information and tools. |
SR-2 | Supply Chain Risk Management Plan | SR | Explicit protection of the plan from unauthorized disclosure and modification implements access controls on this sensitive artifact. |
SR-7 | Supply Chain Operations Security | SR | OPSEC measures enforce access restrictions on sensitive supply-chain data and processes. |
SR-9 | Tamper Resistance and Detection | SR | Tamper protection directly detects and resists unauthorized modifications that improper access control would otherwise permit. |
IA-13 | Identity Providers and Authorization Servers | IA | Authorization servers centrally manage access rights, preventing improper access control. |
IA-4 | Identifier Management | IA | Ensures identifiers are properly authorized and assigned, supporting effective access control. |
IR-10 | Integrated Information Security Analysis Team | IR | The team provides specialized analysis of access-related incidents, enabling quicker identification and response to unauthorized access attempts. |
IR-8 | Incident Response Plan | IR | Requiring protection of the plan from unauthorized modification, distribution controls, and explicit designation of incident response responsibilities directly addresses improper access control over this critical resource. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2012-1723 KEV | 9.6 | 9.8 | 0.9408 | 2012-06-16 |
CVE-2012-4681 KEV | 9.6 | 9.8 | 0.9414 | 2012-08-28 |
CVE-2013-0422 KEV | 9.6 | 9.8 | 0.9361 | 2013-01-10 |
CVE-2016-3427 KEV | 9.6 | 9.8 | 0.9389 | 2016-04-21 |
CVE-2023-27350 KEV | 9.6 | 9.8 | 0.9426 | 2023-04-20 |
CVE-2023-24489 KEV | 9.6 | 9.8 | 0.9439 | 2023-07-10 |
CVE-2024-27348 KEV | 9.6 | 9.8 | 0.9434 | 2024-04-22 |
CVE-2011-3544 KEV | 9.5 | 9.8 | 0.9254 | 2011-10-19 |
CVE-2012-5076 KEV | 9.5 | 9.8 | 0.9171 | 2012-10-16 |
CVE-2023-26360 KEV | 9.4 | 8.6 | 0.9433 | 2023-03-23 |
CVE-2021-22941 KEV | 9.3 | 9.8 | 0.8849 | 2021-09-23 |
CVE-2019-1653 KEV | 9.2 | 7.5 | 0.9438 | 2019-01-24 |
CVE-2023-29298 KEV | 9.2 | 7.5 | 0.9429 | 2023-07-12 |
CVE-2023-38205 KEV | 9.2 | 7.5 | 0.9418 | 2023-09-14 |
CVE-2024-20767 KEV | 9.1 | 7.4 | 0.9404 | 2024-03-18 |
CVE-2020-8193 KEV | 9.0 | 6.5 | 0.9439 | 2020-07-10 |
CVE-2023-23752 KEV | 8.7 | 5.3 | 0.9452 | 2023-02-16 |
CVE-2014-3120 KEV | 8.6 | 8.1 | 0.8260 | 2014-07-28 |
CVE-2025-12480 KEV | 8.5 | 9.1 | 0.7832 | 2025-11-10 |
CVE-2013-2423 KEV | 8.3 | 3.7 | 0.9340 | 2013-04-17 |
CVE-2022-23134 KEV | 8.3 | 3.7 | 0.9261 | 2022-01-13 |
CVE-2025-31125 KEV | 8.0 | 5.3 | 0.8210 | 2025-03-31 |
CVE-2019-2729 | 7.6 | 9.8 | 0.9436 | 2019-06-19 |
CVE-2021-21425 | 7.4 | 9.3 | 0.9164 | 2021-04-07 |
CVE-2022-31704 | 7.4 | 9.8 | 0.8984 | 2023-01-26 |