CWE · MITRE source
CWE-306Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (43)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-1 | Policy and Procedures | IA | The policy mandates identification and authentication for critical functions, making missing authentication less likely. |
IA-10 | Adaptive Authentication | IA | Mandates additional authentication for access under defined conditions, ensuring critical or high-risk functions are not left without authentication. |
IA-11 | Re-authentication | IA | Re-authentication enforces fresh credential validation for critical functions or operations as defined by the organization parameter. |
SA-14 | Criticality Analysis | SA | Explicit identification of critical functions enables organizations to ensure authentication is applied exactly where it is most needed, preventing missing authentication for those functions. |
SA-16 | Developer-provided Training | SA | Training emphasizes enabling and properly using authentication for critical functions, reducing missing authentication exposures. |
SA-17 | Developer Security and Privacy Architecture and Design | SA | Demands complete description of required security functionality, making omission of authentication for critical functions far less likely. |
SC-14 | Public Access Protections | SC | Requires authentication gates on critical functions that must remain unavailable to anonymous public users. |
SC-15 | Collaborative Computing Devices and Applications | SC | Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated. |
SC-19 | Voice Over Internet Protocol | SC | Requiring authorization before VoIP deployment prevents critical VoIP functions (registration, call setup) from lacking authentication. |
AC-11 | Device Lock | AC | Requires established identification and authentication to unlock, mitigating missing authentication for continued system access. |
AC-14 | Permitted Actions Without Identification or Authentication | AC | Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements. |
AC-19 | Access Control for Mobile Devices | AC | Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function. |
PE-10 | Emergency Shutoff | PE | The shutoff is a critical function, and the control ensures it cannot be activated without proper (physical) authentication. |
PE-3 | Physical Access Control | PE | Requires verification of individual access authorizations before granting facility entry, addressing missing authentication for critical physical access. |
PE-7 | Visitor Control | PE | Implements authentication steps (ID checks, sign-in, escort verification) for physical access to critical functions or locations. |
Show 28 more broadly-applicable controls
IA-13 | Identity Providers and Authorization Servers | IA | Identity providers mandate authentication for functions that would otherwise lack it. |
IA-2 | Identification and Authentication (Organizational Users) | IA | Mandates authentication for organizational users and their associated processes, eliminating missing authentication for critical functions. |
IA-3 | Device Identification and Authentication | IA | Requires authentication of devices prior to connection, preventing exploitation of missing authentication for critical network functions. |
IA-7 | Cryptographic Module Authentication | IA | Mandates authentication for the critical function of accessing or using a cryptographic module. |
IA-8 | Identification and Authentication (Non-organizational Users) | IA | Requires authentication for non-organizational users, preventing access to critical functions without proper identification and authentication. |
IA-9 | Service Identification and Authentication | IA | Mandates authentication prior to establishing communications with services, preventing missing authentication for this critical function. |
SA-5 | System Documentation | SA | Secure configuration documentation explicitly addresses enabling authentication for critical functions, reducing missing authentication exposures. |
SA-8 | Security and Privacy Engineering Principles | SA | Complete-mediation principle requires authentication for critical functions. |
SA-9 | External System Services | SA | Mandating that external services employ specified authentication controls and ongoing compliance monitoring makes missing authentication for critical functions harder to overlook or exploit. |
SC-26 | Decoys | SC | Decoy implementations of critical functions without authentication lure and record attackers probing for missing auth checks. |
SC-43 | Usage Restrictions | SC | Requiring authorization for listed components ensures authentication occurs before critical functions are invoked. |
SC-7 | Boundary Protection | SC | Public components are isolated in separate subnetworks and critical internal functions are reachable only via controlled interfaces. |
AC-25 | Reference Monitor | AC | Guarantees critical functions are protected by mandatory invocation of the access control mechanism. |
PL-11 | Baseline Tailoring | PL | Tailoring determines which functions require authentication and selects the appropriate baseline or compensating authentication controls. |
PL-4 | Rules of Behavior | PL | Rules require authentication prior to system or function access, making missing authentication for critical functions harder to ignore or bypass. |
PL-8 | Security and Privacy Architectures | PL | The control requires architectures to identify and protect critical functions, including mandatory authentication for those functions. |
RA-3 | Risk Assessment | RA | Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Tools routinely check for missing authentication on critical functions and exposed interfaces. |
RA-9 | Criticality Analysis | RA | Explicit identification of critical functions enables targeted authentication requirements, preventing missing authentication for those functions. |
CA-2 | Control Assessments | CA | The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication. |
CA-4 | Security Certification | CA | Certification assesses that critical functions have required authentication controls in place. |
PM-5 | System Inventory | PM | Knowing every system allows confirmation that critical functions are not left without required authentication mechanisms. |
PM-8 | Critical Infrastructure Plan | PM | Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted. |
AU-14 | Session Audit | AU | Auditing sessions makes it possible to detect access to critical functions without required authentication. |
CM-7 | Least Functionality | CM | Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components. |
MA-4 | Nonlocal Maintenance | MA | Mandating authentication for nonlocal maintenance addresses missing authentication for this critical function. |
PS-1 | Policy and Procedures | PS | Policy mandates authentication and authorization for critical functions, ensuring these controls are not omitted for personnel-managed resources. |
SI-9 | Information Input Restrictions | SI | Ensures critical input functions cannot be reached without prior authorization. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-6287 KEV | 9.7 | 10.0 | 0.9439 | 2020-07-14 |
CVE-2024-51567 KEV | 9.7 | 10.0 | 0.9431 | 2024-10-29 |
CVE-2020-6207 KEV | 9.6 | 9.8 | 0.9415 | 2020-03-10 |
CVE-2020-3952 KEV | 9.6 | 9.8 | 0.9434 | 2020-04-10 |
CVE-2020-13927 KEV | 9.6 | 9.8 | 0.9410 | 2020-11-10 |
CVE-2020-10148 KEV | 9.6 | 9.8 | 0.9435 | 2020-12-29 |
CVE-2021-44077 KEV | 9.6 | 9.8 | 0.9430 | 2021-11-29 |
CVE-2021-35587 KEV | 9.6 | 9.8 | 0.9427 | 2022-01-19 |
CVE-2022-1388 KEV | 9.6 | 9.8 | 0.9446 | 2022-05-05 |
CVE-2022-21587 KEV | 9.6 | 9.8 | 0.9440 | 2022-10-18 |
CVE-2023-46747 KEV | 9.6 | 9.8 | 0.9444 | 2023-10-26 |
CVE-2024-47575 KEV | 9.6 | 9.8 | 0.9387 | 2024-10-23 |
CVE-2024-0012 KEV | 9.6 | 9.8 | 0.9428 | 2024-11-18 |
CVE-2024-11680 KEV | 9.6 | 9.8 | 0.9386 | 2024-11-26 |
CVE-2021-37415 KEV | 9.5 | 9.8 | 0.9295 | 2021-09-01 |
CVE-2023-42793 KEV | 9.5 | 9.8 | 0.9291 | 2023-09-19 |
CVE-2025-0108 KEV | 9.5 | 9.1 | 0.9412 | 2025-02-12 |
CVE-2025-3248 KEV | 9.5 | 9.8 | 0.9181 | 2025-04-07 |
CVE-2019-9082 KEV | 9.4 | 8.8 | 0.9425 | 2019-02-24 |
CVE-2021-39144 KEV | 9.4 | 8.5 | 0.9425 | 2021-08-23 |
CVE-2024-5910 KEV | 9.4 | 9.8 | 0.9103 | 2024-07-10 |
CVE-2022-26143 KEV | 9.3 | 9.8 | 0.8915 | 2022-03-10 |
CVE-2023-28461 KEV | 9.3 | 9.8 | 0.8929 | 2023-03-15 |
CVE-2017-10271 KEV | 9.2 | 7.5 | 0.9444 | 2017-10-19 |
CVE-2022-24990 KEV | 9.2 | 7.5 | 0.9440 | 2023-02-07 |