Cyber Posture

CWE · MITRE source

CWE-923Improper Restriction of Communication Channel to Intended Endpoints

Abstraction: Class · CVEs in our corpus: 56

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (12)AI

Showing the 7 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-11Trusted PathSCMandates restriction of the channel for authentication to only the intended trusted endpoints, blocking unauthorized communication paths.
SC-19Voice Over Internet ProtocolSCExplicit control of VoIP traffic forces organizations to restrict communication channels to only intended endpoints and protocols.
SC-22Architecture and Provisioning for Name/Address Resolution ServiceSCExplicit internal/external separation restricts name-resolution channels to their intended communication endpoints.
AC-18Wireless AccessACAuthorizing wireless access restricts the wireless communication channel to only intended endpoints.
CA-3Information ExchangeCAApproving specific exchanges and documenting interface characteristics restricts communication channels to only intended endpoints and systems.
PE-4Access Control for TransmissionPELimits physical connectivity to transmission channels, supporting restriction of communication paths to only intended endpoints.
SA-9External System ServicesSARequiring providers to meet communication-channel restrictions and monitoring adherence reduces improper restriction of channels to intended endpoints.
Show 5 more broadly-applicable controls
SC-40Wireless Link ProtectionSCEnforces that the wireless communication channel is usable only by intended endpoints, addressing improper channel restriction.
SC-41Port and I/O Device AccessSCRestricts communication channels to only intended endpoints by eliminating unnecessary ports and devices.
SC-46Cross Domain Policy EnforcementSCPolicy enforcement restricts communication channels to only the intended endpoints and protocols between security domains.
SC-47Alternate Communications PathsSCDedicated alternate paths enable explicit restriction of C2 traffic to intended endpoints rather than relying on a single unrestricted channel.
SC-7Boundary ProtectionSCThe control explicitly requires that all external connections use managed boundary devices that restrict channels to intended endpoints.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2024-249742.27.50.11092024-07-08
CVE-2019-174402.010.00.00452019-12-20
CVE-2024-418892.09.80.01332024-08-05
CVE-2025-465662.09.80.00302025-05-01
CVE-2017-38911.99.60.00302017-11-14
CVE-2026-342051.99.60.00052026-03-27
CVE-2023-280781.89.10.00282024-02-15
CVE-2025-489991.88.80.00202025-06-03
CVE-2025-202611.88.80.00572025-06-04
CVE-2025-619391.88.80.00042026-01-07
CVE-2024-261311.78.40.00042024-02-29
CVE-2024-474901.78.20.00222024-10-11
CVE-2025-299861.78.30.00502025-04-08
CVE-2021-384871.68.20.00102022-05-05
CVE-2024-471251.68.10.00092024-09-26
CVE-2023-289711.57.20.00222023-04-17
CVE-2024-344461.57.50.00292024-05-03
CVE-2024-62221.57.00.02332024-07-09
CVE-2024-260131.57.50.00152025-04-08
CVE-2025-231781.57.60.00222025-04-29
CVE-2026-236641.57.50.00112026-03-10
CVE-2026-323031.57.60.00022026-03-20
CVE-2026-323171.57.60.00012026-03-20
CVE-2026-323181.57.60.00012026-03-20
CVE-2018-105961.47.10.00182018-07-03