CWE · MITRE source
CWE-290Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (11)AI
Showing the 8 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-11 | Trusted Path | SC | Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts. |
SC-20 | Secure Name/Address Resolution Service (Authoritative Source) | SC | Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source. |
SC-21 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | SC | Directly counters DNS response spoofing by requiring cryptographic origin authentication before trusting resolved names/addresses. |
IA-12 | Identity Proofing | IA | Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts. |
IA-3 | Device Identification and Authentication | IA | Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve. |
IA-8 | Identification and Authentication (Non-organizational Users) | IA | Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing. |
AC-9 | Previous Logon Notification | AC | Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login. |
AT-2 | Literacy Training and Awareness | AT | Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass. |
Show 3 more broadly-applicable controls
SC-23 | Session Authenticity | SC | Requires cryptographic or protocol-level verification that blocks spoofed session establishment or continuation. |
SC-40 | Wireless Link Protection | SC | Signal-parameter protections (e.g., cryptographic authentication, anti-spoofing) directly counter spoofing-based authentication bypass. |
IA-9 | Service Identification and Authentication | IA | Unique identification and authentication of services before communications makes spoofing of service identities substantially harder. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-24112 KEV | 9.6 | 9.8 | 0.9444 | 2022-02-11 |
CVE-2024-4358 KEV | 9.6 | 9.8 | 0.9434 | 2024-05-29 |
CVE-2022-23131 KEV | 9.5 | 9.1 | 0.9405 | 2022-01-13 |
CVE-2021-29441 | 7.4 | 8.6 | 0.9392 | 2021-04-27 |
CVE-2024-41107 | 7.1 | 8.1 | 0.9200 | 2024-07-19 |
CVE-2024-54085 KEV | 6.5 | 9.8 | 0.4297 | 2025-03-11 |
CVE-2021-31195 | 6.1 | 6.5 | 0.7983 | 2021-05-11 |
CVE-2020-7388 | 6.1 | 10.0 | 0.6880 | 2021-07-22 |
CVE-2022-39227 | 6.1 | 9.1 | 0.7131 | 2022-09-23 |
CVE-2025-49002 | 3.5 | 9.8 | 0.2617 | 2025-06-03 |
CVE-2023-50224 KEV | 3.4 | 6.5 | 0.0149 | 2024-05-03 |
CVE-2022-3180 | 3.4 | 9.8 | 0.2352 | 2025-02-11 |
CVE-2021-34646 | 3.3 | 9.8 | 0.2251 | 2021-08-30 |
CVE-2024-12108 | 3.1 | 9.6 | 0.1940 | 2024-12-31 |
CVE-2018-5353 | 2.9 | 9.8 | 0.1529 | 2020-09-30 |
CVE-2024-20674 | 2.7 | 8.8 | 0.1605 | 2024-01-09 |
CVE-2025-32966 | 2.6 | 9.8 | 0.1121 | 2025-04-23 |
CVE-2018-7842 | 2.5 | 9.8 | 0.0817 | 2019-05-22 |
CVE-2019-1234 | 2.5 | 7.5 | 0.1663 | 2019-11-12 |
CVE-2022-47522 | 2.4 | 7.5 | 0.1569 | 2023-04-15 |
CVE-2019-16871 | 2.3 | 9.8 | 0.0588 | 2019-12-19 |
CVE-2020-10135 | 2.3 | 5.4 | 0.2019 | 2020-05-19 |
CVE-2022-34689 | 2.3 | 7.5 | 0.1320 | 2022-10-11 |
CVE-2009-1048 | 2.2 | 9.8 | 0.0326 | 2009-08-14 |
CVE-2021-21134 | 2.2 | 6.5 | 0.1532 | 2021-02-09 |