CWE · MITRE source
CWE-287Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (40)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-1 | Policy and Procedures | IA | Documented IA policy and procedures require proper authentication mechanisms to be defined and followed, reducing improper authentication. |
IA-10 | Adaptive Authentication | IA | Requires adaptive authentication under specific conditions, directly strengthening authentication mechanisms against improper or insufficient authentication. |
IA-12 | Identity Proofing | IA | Identity proofing requires collecting, validating, and verifying evidence to resolve claims to unique individuals, directly preventing insufficient proof of identity during account establishment. |
AT-1 | Policy and Procedures | AT | Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited. |
AT-2 | Literacy Training and Awareness | AT | Security awareness training instructs users on secure authentication practices and avoiding credential compromise. |
AT-3 | Role-based Training | AT | Training on authentication mechanisms and best practices decreases the occurrence of improper authentication. |
AU-10 | Non-repudiation | AU | Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes. |
AU-14 | Session Audit | AU | Session content review can reveal authentication bypasses or failures in session establishment. |
AU-6 | Audit Record Review, Analysis, and Reporting | AU | Review of authentication-related audit records can detect improper authentication mechanisms or bypasses. |
CA-2 | Control Assessments | CA | Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts. |
CA-3 | Information Exchange | CA | Mandating documentation of security requirements for exchanges includes specifying and enforcing authentication mechanisms between systems. |
CA-8 | Penetration Testing | CA | Penetration testing probes authentication mechanisms for bypasses, allowing identification and fixing of improper authentication issues. |
PM-13 | Security and Privacy Workforce | PM | Development programs cover authentication best practices, making weak or missing authentication less likely. |
PM-14 | Testing, Training, and Monitoring | PM | Authentication testing and monitoring activities ensure mechanisms are implemented, maintained, and resistant to bypass. |
PM-7 | Enterprise Architecture | PM | Security-conscious enterprise architecture mandates authentication mechanisms and identity management at scale, mitigating improper authentication. |
Show 25 more broadly-applicable controls
IA-13 | Identity Providers and Authorization Servers | IA | Identity providers centralize and enforce authentication mechanisms, reducing improper authentication. |
IA-2 | Identification and Authentication (Organizational Users) | IA | Requires unique identification and authentication of organizational users, directly preventing improper authentication. |
IA-3 | Device Identification and Authentication | IA | Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses. |
IA-4 | Identifier Management | IA | Provides unique, authorized identifiers that are foundational to preventing authentication weaknesses. |
IA-7 | Cryptographic Module Authentication | IA | Directly requires implementation of compliant authentication mechanisms to cryptographic modules, preventing improper authentication. |
IA-8 | Identification and Authentication (Non-organizational Users) | IA | Mandates unique identification and authentication of non-organizational users, directly mitigating improper authentication. |
IA-9 | Service Identification and Authentication | IA | Requires unique identification and authentication of services before any communications, directly mitigating improper authentication. |
SA-11 | Developer Testing and Evaluation | SA | Authentication mechanism testing and evaluation during development identifies bypass or weakness conditions, with mandatory correction prior to system delivery. |
SA-16 | Developer-provided Training | SA | Developer-provided instruction on authentication controls improves correct implementation and ongoing operation of authentication. |
SA-3 | System Development Life Cycle | SA | Requiring explicit security roles and risk integration in the SDLC forces authentication mechanisms to be planned, documented, and validated instead of omitted or weakly implemented. |
SC-19 | Voice Over Internet Protocol | SC | Implementation guidance and monitoring requirements force proper authentication mechanisms for VoIP endpoints and sessions. |
SC-26 | Decoys | SC | Decoy authentication surfaces detect bypass attempts and deflect real credential attacks through observable malicious interactions. |
SC-40 | Wireless Link Protection | SC | Requires authentication mechanisms on the wireless link, making improper authentication weaknesses harder to exploit. |
CP-10 | System Recovery and Reconstitution | CP | System recovery re-establishes trusted authentication processes following a compromise. |
CP-13 | Alternative Security Mechanisms | CP | Delivers alternative authentication approaches to verify identity when the primary authentication mechanism is unavailable or compromised. |
PL-8 | Security and Privacy Architectures | PL | Security architectures must specify authentication requirements and approaches, making systemic authentication weaknesses harder to introduce. |
PL-9 | Central Management | PL | Centralized authentication mechanisms and policy enforcement reduce the chance of missing or weak authentication on individual components. |
PS-1 | Policy and Procedures | PS | Personnel screening, identity verification, and access-agreement requirements support reliable authentication and reduce authentication bypass opportunities. |
PS-4 | Personnel Termination | PS | Revoking authenticators and credentials eliminates the ability of terminated individuals to authenticate using prior mechanisms. |
RA-10 | Threat Hunting | RA | Hunting detects anomalous authentication patterns or successful bypasses that allow persistent unauthorized entry. |
RA-3 | Risk Assessment | RA | Assessment of authentication-related threats and vulnerabilities leads to remediation of missing or weak authentication controls. |
AC-9 | Previous Logon Notification | AC | Detects unauthorized successful logons resulting from improper authentication implementations. |
IR-10 | Integrated Information Security Analysis Team | IR | Integrated incident analysis improves detection and mitigation of authentication bypasses and failures during security events. |
MA-4 | Nonlocal Maintenance | MA | Requiring strong authentication for establishing nonlocal maintenance sessions directly mitigates improper authentication. |
SI-4 | System Monitoring | SI | Detects unauthorized use and connections stemming from authentication bypass or failure. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-7921 KEV | 9.6 | 9.8 | 0.9423 | 2017-05-06 |
CVE-2018-10561 KEV | 9.6 | 9.8 | 0.9331 | 2018-05-04 |
CVE-2021-22893 KEV | 9.6 | 10.0 | 0.9361 | 2021-04-23 |
CVE-2021-32030 KEV | 9.6 | 9.8 | 0.9422 | 2021-05-06 |
CVE-2021-33044 KEV | 9.6 | 9.8 | 0.9425 | 2021-09-15 |
CVE-2021-33045 KEV | 9.6 | 9.8 | 0.9417 | 2021-09-15 |
CVE-2021-39226 KEV | 9.6 | 9.8 | 0.9435 | 2021-10-05 |
CVE-2022-40684 KEV | 9.6 | 9.8 | 0.9443 | 2022-10-18 |
CVE-2023-35078 KEV | 9.6 | 9.8 | 0.9444 | 2023-07-25 |
CVE-2023-35082 KEV | 9.6 | 9.8 | 0.9440 | 2023-08-15 |
CVE-2024-7593 KEV | 9.6 | 9.8 | 0.9444 | 2024-08-13 |
CVE-2024-53704 KEV | 9.6 | 9.8 | 0.9386 | 2025-01-09 |
CVE-2020-4427 KEV | 9.5 | 9.8 | 0.9274 | 2020-05-07 |
CVE-2020-0688 KEV | 9.4 | 8.8 | 0.9440 | 2020-02-11 |
CVE-2023-28461 KEV | 9.3 | 9.8 | 0.8929 | 2023-03-15 |
CVE-2023-46805 KEV | 9.3 | 8.2 | 0.9437 | 2024-01-12 |
CVE-2025-61882 KEV | 9.3 | 9.8 | 0.8938 | 2025-10-05 |
CVE-2021-32648 KEV | 9.2 | 8.2 | 0.9304 | 2021-08-26 |
CVE-2015-7755 KEV | 9.1 | 9.8 | 0.8516 | 2015-12-19 |
CVE-2020-8193 KEV | 9.0 | 6.5 | 0.9439 | 2020-07-10 |
CVE-2015-1187 KEV | 8.9 | 9.8 | 0.8288 | 2017-09-21 |
CVE-2024-8956 KEV | 8.8 | 9.1 | 0.8361 | 2024-09-17 |
CVE-2013-0625 KEV | 8.7 | 9.8 | 0.7834 | 2013-01-09 |
CVE-2023-27351 KEV | 8.7 | 7.5 | 0.8696 | 2023-04-20 |
CVE-2022-23134 KEV | 8.3 | 3.7 | 0.9261 | 2022-01-13 |