CWE · MITRE source
CWE-703Improper Check or Handling of Exceptional Conditions
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (17)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CP-12 | Safe Mode | CP | Provides a defined response to detected conditions by restricting operation, ensuring exceptional conditions are handled rather than ignored or mishandled. |
CP-3 | Contingency Training | CP | Contingency training equips users with defined procedures to check and respond to exceptional conditions during disruptions, reducing exploitation of mishandled errors. |
CP-4 | Contingency Plan Testing | CP | Testing verifies the system's ability to detect, handle, and recover from exceptional conditions as part of the plan, reducing exploitability of improper exception handling. |
IR-1 | Policy and Procedures | IR | Policy defines checks and handling for exceptional conditions arising from security incidents. |
IR-3 | Incident Response Testing | IR | Performing IR tests ensures exceptional conditions are properly checked and handled to enable effective response. |
IR-4 | Incident Handling | IR | Incident handling capability directly provides structured checking and response actions for security incidents as exceptional conditions. |
SA-11 | Developer Testing and Evaluation | SA | Testing and evaluation exercises error paths and exceptional conditions, surfacing improper handling that is then remediated through the defined process. |
SA-15 | Development Process, Standards, and Tools | SA | Standards and tools mandated by the process include proper handling of exceptional conditions that would otherwise be omitted. |
SA-24 | Design For Cyber Resiliency | SA | Cyber resiliency objectives explicitly include graceful handling of adverse conditions and exceptional states, reducing improper exception handling. |
SI-13 | Predictable Failure Prevention | SI | Requires systematic prediction and handling of failure conditions, reducing the impact of unhandled exceptional states. |
SI-17 | Fail-safe Procedures | SI | Requires explicit, safe handling actions for specified exceptional conditions rather than allowing unchecked propagation or default unsafe behavior. |
SI-6 | Security and Privacy Function Verification | SI | The required verification process supplies the missing checks for exceptional conditions affecting security functions. |
AU-5 | Response to Audit Logging Process Failures | AU | Implements explicit check and handling for the exceptional condition of audit logging process failure. |
CA-7 | Continuous Monitoring | CA | Establishing and monitoring system metrics with correlation and response actions helps identify and address improper handling of exceptional conditions. |
SC-24 | Fail in Known State | SC | Mandates explicit, predictable handling of exceptional conditions rather than undefined continuation. |
Show 2 more broadly-applicable controls
CP-5 | Contingency Plan Update | CP | Regular updates keep contingency procedures aligned with system changes, providing structured handling for exceptional conditions that would otherwise allow unmitigated exploitation. |
IR-7 | Incident Response Assistance | IR | Supplies advice and assistance on handling incidents, improving checks and responses to exceptional conditions. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-25372 KEV | 3.3 | 6.1 | 0.0176 | 2021-03-26 |
CVE-2021-25370 KEV | 3.2 | 6.1 | 0.0049 | 2021-03-26 |
CVE-2022-22265 KEV | 3.0 | 5.0 | 0.0019 | 2022-01-10 |
CVE-2024-21894 | 2.4 | 9.8 | 0.0794 | 2024-04-04 |
CVE-2024-22053 | 2.1 | 8.2 | 0.0742 | 2024-04-04 |
CVE-2025-13021 | 2.0 | 9.8 | 0.0006 | 2025-11-11 |
CVE-2025-13022 | 2.0 | 9.8 | 0.0006 | 2025-11-11 |
CVE-2025-13023 | 2.0 | 9.8 | 0.0006 | 2025-11-11 |
CVE-2025-13026 | 2.0 | 9.8 | 0.0006 | 2025-11-11 |
CVE-2023-0397 | 1.9 | 9.6 | 0.0009 | 2023-01-19 |
CVE-2021-3329 | 1.9 | 9.6 | 0.0022 | 2023-02-26 |
CVE-2024-39815 | 1.9 | 9.1 | 0.0078 | 2024-08-12 |
CVE-2019-5031 | 1.8 | 8.8 | 0.0102 | 2019-10-02 |
CVE-2021-23859 | 1.8 | 9.1 | 0.0029 | 2021-12-08 |
CVE-2023-45927 | 1.8 | 9.1 | 0.0014 | 2024-03-27 |
CVE-2024-10781 | 1.8 | 8.1 | 0.0251 | 2024-11-26 |
CVE-2018-12551 | 1.7 | 8.1 | 0.0071 | 2019-03-27 |
CVE-2022-41777 | 1.7 | 7.5 | 0.0383 | 2022-12-05 |
CVE-2024-22052 | 1.7 | 7.5 | 0.0415 | 2024-04-04 |
CVE-2024-29205 | 1.7 | 7.5 | 0.0271 | 2024-04-25 |
CVE-2024-4611 | 1.7 | 8.1 | 0.0179 | 2024-05-29 |
CVE-2024-21525 | 1.7 | 8.3 | 0.0010 | 2024-07-10 |
CVE-2026-0011 | 1.7 | 8.4 | 0.0000 | 2026-03-02 |
CVE-2018-5463 | 1.6 | 7.8 | 0.0011 | 2018-04-09 |
CVE-2022-20924 | 1.6 | 7.7 | 0.0073 | 2022-11-15 |