CWE · MITRE source
CWE-693Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (58)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
PM-11 | Mission and Business Process Definition | PM | Mandates determining protection needs from defined processes, reducing the likelihood that protection mechanisms are omitted or ineffective by design. |
PM-13 | Security and Privacy Workforce | PM | Skilled personnel implement protection mechanisms correctly, lowering protection-mechanism failures. |
PM-14 | Testing, Training, and Monitoring | PM | The control requires systematic testing and monitoring of protection mechanisms to confirm they function as intended against organizational risks. |
PL-1 | Policy and Procedures | PL | Requiring procedures that facilitate implementation of planning controls reduces the chance that protection mechanisms are omitted or inconsistently applied. |
PL-10 | Baseline Selection | PL | Selecting an impact-appropriate control baseline ensures a minimum set of protection mechanisms are applied, directly reducing the chance that critical safeguards are omitted. |
PL-11 | Baseline Tailoring | PL | Tailoring validates that selected protection mechanisms remain effective after scoping, parameterization, and compensating-control decisions are applied. |
SA-11 | Developer Testing and Evaluation | SA | Assessments of security controls directly validate whether protection mechanisms function as intended, exposing failures for correction. |
SA-15 | Development Process, Standards, and Tools | SA | Mandates review that the selected process, standards, and tools can satisfy security requirements, reducing failure of protection mechanisms in the delivered system. |
SA-17 | Developer Security and Privacy Architecture and Design | SA | Requires demonstrating integration of mechanisms into a coherent protection strategy, reducing failures from poorly composed or conflicting controls. |
SI-1 | Policy and Procedures | SI | Regular policy review and procedure updates reduce the likelihood that integrity protection mechanisms are omitted, misconfigured, or allowed to degrade. |
SI-22 | Information Diversity | SI | Supplies a backup mechanism that continues to function when the primary information protection or integrity control fails. |
SI-4 | System Monitoring | SI | Reveals failures or bypasses of existing protection mechanisms via event and anomaly analysis. |
CA-1 | Policy and Procedures | CA | Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes. |
CA-2 | Control Assessments | CA | Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation. |
CA-4 | Security Certification | CA | Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes. |
Show 43 more broadly-applicable controls
PM-19 | Privacy Program Leadership Role | PM | Executive-level ownership and resources help ensure privacy protection mechanisms are developed, implemented, and maintained. |
PM-2 | Information Security Program Leadership Role | PM | Leadership and resources for the security program reduce the likelihood that protection mechanisms are missing, misconfigured, or neglected. |
PM-26 | Complaint Management | PM | A formal redress process detects when protection mechanisms fail in practice and compels their repair, lowering the likelihood that known protection failures remain exploitable. |
PM-28 | Risk Framing | PM | Explicit risk framing ensures protection mechanisms are selected, sized, and maintained consistent with organizational risk tolerance, reducing the chance that a mechanism fails because its risk context was never defined. |
PM-3 | Information Security and Privacy Resources | PM | Explicit funding and documentation requirements reduce failures of protection mechanisms caused by under-resourcing. |
PM-31 | Continuous Monitoring Strategy | PM | Establishes continuous monitoring of control effectiveness with defined metrics and response actions, detecting protection mechanism failures. |
PM-4 | Plan of Action and Milestones Process | PM | Requires ongoing maintenance of plans to repair or replace failed or inadequate protection mechanisms before they can be exploited at scale. |
PM-6 | Measures of Performance | PM | Ongoing measurement and reporting of security control performance provides visibility into protection mechanism failures, enabling timely remediation. |
PM-7 | Enterprise Architecture | PM | Enterprise architecture ensures protection mechanisms are selected, placed, and integrated consistently, reducing protection mechanism failures. |
PM-9 | Risk Management Strategy | PM | Regular review and update of the risk strategy detects and corrects protection mechanism failures before exploitation. |
PL-2 | System Security and Privacy Plans | PL | Requires documenting controls planned or in place to meet requirements plus rationale, reducing the chance that protection mechanisms are missing or ineffective due to poor planning. |
PL-3 | System Security Plan Update | PL | Plan updates require reassessment of selected protection mechanisms, surfacing cases where they no longer address the current threat or implementation. |
PL-7 | Concept of Operations | PL | The control requires organizations to describe how protection mechanisms will function in operation, thereby reducing the chance that those mechanisms fail due to undefined or inconsistent operational assumptions. |
PL-8 | Security and Privacy Architectures | PL | By requiring integrated, updated architectures and CONOPS, the control reduces the likelihood that protection mechanisms are missing or inconsistently applied. |
PL-9 | Central Management | PL | Central management verifies that required protection mechanisms remain enabled and correctly configured, reducing protection-mechanism failures due to local drift. |
SA-18 | Tamper Resistance and Detection | SA | The control explicitly requires implementation and verification of protection mechanisms that would otherwise fail and allow tampering. |
SA-2 | Allocation of Resources | SA | Mandates documented allocation of resources to protection requirements, reducing the likelihood that protection mechanisms are underfunded, omitted, or inadequately maintained. |
SA-24 | Design For Cyber Resiliency | SA | Mandates selection and application of resiliency techniques and implementation approaches that strengthen protection mechanisms against failure or bypass. |
SA-8 | Security and Privacy Engineering Principles | SA | Engineering principles ensure protection mechanisms are correctly specified and implemented. |
SI-5 | Security Alerts, Advisories, and Directives | SI | Implementing issued security directives maintains the effectiveness of existing protection mechanisms against newly discovered bypasses or failures. |
SI-6 | Security and Privacy Function Verification | SI | Explicit verification and alerting detect when protection mechanisms are not functioning, limiting undetected bypasses. |
SI-8 | Spam Protection | SI | Requiring deployment and timely updates of spam mechanisms prevents the absence or obsolescence of a protection mechanism that would otherwise be bypassed. |
CA-5 | Plan of Action and Milestones | CA | The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable. |
CA-7 | Continuous Monitoring | CA | Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail. |
SC-1 | Policy and Procedures | SC | Requires procedures that facilitate consistent implementation and periodic review of protection controls, making failure of those mechanisms less likely. |
SC-29 | Heterogeneity | SC | Diverse technology stacks ensure a single protection mechanism failure (or exploit) does not cascade across all components. |
SC-47 | Alternate Communications Paths | SC | Failure or compromise of the primary protection mechanism no longer results in total loss of C2 capability. |
SC-48 | Sensor Relocation | SC | Relocating sensors under specified conditions prevents static protection mechanisms from being reliably bypassed or disabled once their locations are discovered. |
SC-49 | Hardware-enforced Separation and Policy Enforcement | SC | Hardware enforcement reduces the likelihood that protection mechanisms can be bypassed or fail due to software flaws. |
RA-1 | Policy and Procedures | RA | Documented risk assessment processes ensure protection mechanisms are identified, evaluated, and maintained rather than failing due to neglect. |
RA-3 | Risk Assessment | RA | Periodic review of protection effectiveness against identified threats directly addresses failures in security mechanisms. |
RA-4 | Risk Assessment Update | RA | Risk assessment updates reveal when existing protection mechanisms have become ineffective against new attack techniques or environmental changes. |
RA-7 | Risk Response | RA | When assessments or monitoring reveal that protection mechanisms are ineffective or bypassed, the required risk-response action directly restores or strengthens those mechanisms. |
CP-13 | Alternative Security Mechanisms | CP | Provides alternative mechanisms to maintain security functions when the primary implementation is unavailable or compromised, directly preventing protection mechanism failure. |
CP-2 | Contingency Plan | CP | Requires planning for full restoration without deterioration of originally implemented controls, mitigating impact from protection mechanism failures during compromise or disruption. |
CP-4 | Contingency Plan Testing | CP | The contingency plan itself is a protection mechanism; regular testing and corrective actions ensure it does not fail when activated by an incident. |
IR-10 | Integrated Information Security Analysis Team | IR | The integrated team focuses on root-cause analysis of security incidents, directly addressing failures in protection mechanisms that allow exploitation. |
IR-8 | Incident Response Plan | IR | Developing, approving, updating, and maintaining the incident response plan ensures the organization's incident response protection mechanism does not fail due to absence of planning, outdated procedures, or lack of resources. |
MA-1 | Policy and Procedures | MA | The policy and procedures ensure maintenance activities are planned and executed to keep protection mechanisms effective and prevent their degradation or failure. |
MA-2 | Controlled Maintenance | MA | Checking that all potentially impacted controls still function properly after maintenance detects and mitigates protection mechanism failures introduced during the process. |
AC-25 | Reference Monitor | AC | Implements a reliable, tamperproof protection mechanism whose completeness can be assured. |
AT-1 | Policy and Procedures | AT | Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable. |
CM-4 | Impact Analyses | CM | Impact analysis identifies changes that could weaken or disable existing protection mechanisms. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2013-2465 KEV | 9.6 | 9.8 | 0.9322 | 2013-06-18 |
CVE-2019-1003030 KEV | 9.6 | 9.9 | 0.9288 | 2019-03-08 |
CVE-2024-21412 KEV | 9.2 | 8.1 | 0.9377 | 2024-02-13 |
CVE-2013-0431 KEV | 8.6 | 5.3 | 0.9159 | 2013-01-31 |
CVE-2025-40536 KEV | 7.8 | 8.1 | 0.6891 | 2026-01-28 |
CVE-2024-29988 KEV | 7.4 | 8.8 | 0.6050 | 2024-04-09 |
CVE-2024-38213 KEV | 6.9 | 6.5 | 0.5932 | 2024-08-13 |
CVE-2025-0411 KEV | 6.5 | 7.0 | 0.5241 | 2025-01-25 |
CVE-2026-21513 KEV | 5.4 | 8.8 | 0.2811 | 2026-02-10 |
CVE-2024-34144 | 5.0 | 9.8 | 0.5005 | 2024-05-02 |
CVE-2026-21510 KEV | 4.0 | 8.8 | 0.0404 | 2026-02-10 |
CVE-2024-38217 KEV | 3.8 | 5.4 | 0.1212 | 2024-09-10 |
CVE-2024-38226 KEV | 3.5 | 7.3 | 0.0143 | 2024-09-10 |
CVE-2018-6794 | 3.3 | 5.3 | 0.3743 | 2018-02-07 |
CVE-2026-32202 KEV | 3.3 | 4.3 | 0.0719 | 2026-04-14 |
CVE-2022-31479 | 2.5 | 9.6 | 0.0907 | 2022-06-06 |
CVE-2022-35978 | 2.4 | 7.7 | 0.1373 | 2022-08-15 |
CVE-2024-38092 | 2.3 | 8.8 | 0.0981 | 2024-07-09 |
CVE-2017-10952 | 2.2 | 8.8 | 0.0726 | 2017-08-29 |
CVE-2024-38180 | 2.2 | 8.8 | 0.0654 | 2024-08-13 |
CVE-2017-3197 | 2.1 | 9.8 | 0.0284 | 2018-07-09 |
CVE-2021-32835 | 2.1 | 9.9 | 0.0251 | 2021-09-09 |
CVE-2017-8864 | 2.0 | 9.8 | 0.0065 | 2017-11-22 |
CVE-2018-9311 | 2.0 | 9.8 | 0.0084 | 2018-05-31 |
CVE-2018-9318 | 2.0 | 9.8 | 0.0084 | 2018-05-31 |