CWE · MITRE source
CWE-522Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (7)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AT-2 | Literacy Training and Awareness | AT | Training instructs users on protecting credentials from disclosure or unauthorized access. |
AT-4 | Training Records | AT | Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials. |
SC-28 | Protection of Information at Rest | SC | Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores. |
SC-37 | Out-of-band Channels | SC | Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport. |
IA-5 | Authenticator Management | IA | Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials. |
PL-4 | Rules of Behavior | PL | Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials. |
PS-4 | Personnel Termination | PS | Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-29583 KEV | 9.6 | 9.8 | 0.9437 | 2020-12-22 |
CVE-2017-9248 KEV | 9.3 | 9.8 | 0.8859 | 2017-07-03 |
CVE-2014-1812 KEV | 8.8 | 8.8 | 0.8376 | 2014-05-14 |
CVE-2019-17662 | 7.6 | 9.8 | 0.9410 | 2019-10-16 |
CVE-2024-9014 | 7.6 | 9.9 | 0.9288 | 2024-09-23 |
CVE-2024-44000 | 7.5 | 9.8 | 0.9301 | 2024-10-20 |
CVE-2024-32238 | 7.3 | 9.8 | 0.8847 | 2024-04-22 |
CVE-2021-30116 KEV | 7.2 | 10.0 | 0.5407 | 2021-07-09 |
CVE-2022-1026 | 6.9 | 8.6 | 0.8678 | 2022-04-04 |
CVE-2017-7925 | 6.8 | 9.8 | 0.8041 | 2017-05-06 |
CVE-2014-6039 | 6.5 | 7.5 | 0.8363 | 2020-01-13 |
CVE-2018-9160 | 6.4 | 9.8 | 0.7416 | 2018-03-31 |
CVE-2023-6421 | 6.3 | 7.5 | 0.8057 | 2024-01-01 |
CVE-2022-35411 | 6.2 | 9.8 | 0.7133 | 2022-07-08 |
CVE-2017-8225 | 6.0 | 9.8 | 0.6666 | 2017-04-25 |
CVE-2021-44451 | 5.8 | 6.5 | 0.7534 | 2022-02-01 |
CVE-2013-7055 | 5.1 | 9.8 | 0.5174 | 2020-02-04 |
CVE-2021-22681 KEV | 5.0 | 9.8 | 0.1816 | 2021-03-03 |
CVE-2014-5381 | 4.7 | 9.8 | 0.4644 | 2020-01-13 |
CVE-2013-7052 | 4.7 | 9.8 | 0.4522 | 2020-02-04 |
CVE-2018-10824 | 4.5 | 9.8 | 0.4290 | 2018-10-17 |
CVE-2018-11742 | 4.1 | 9.8 | 0.3638 | 2018-12-26 |
CVE-2020-5260 | 4.1 | 9.3 | 0.3788 | 2020-04-14 |
CVE-2022-38121 | 4.0 | 6.5 | 0.4428 | 2022-11-10 |
CVE-2017-3192 | 3.6 | 9.8 | 0.2769 | 2017-12-16 |