NIST 800-53 r5 · Controls catalogue · Family AC
AC-18Wireless Access
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and Authorize each type of wireless access to the system prior to allowing such connections.
Last updated: 19 May 2026 20:20 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (25)
- T1011 Exfiltration Over Other Network Medium Exfiltration
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1020.001 Traffic Duplication Exfiltration
- T1040 Network Sniffing Credential Access, Discovery
- T1070 Indicator Removal Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1119 Automated Collection Collection
- T1530 Data from Cloud Storage Collection
- T1552 Unsecured Credentials Credential Access
- T1552.004 Private Keys Credential Access
- T1557 Adversary-in-the-Middle Credential Access, Collection
- T1557.002 ARP Cache Poisoning Credential Access, Collection
- T1557.004 Evil Twin Credential Access, Collection
- T1558 Steal or Forge Kerberos Tickets Credential Access
- T1558.002 Silver Ticket Credential Access
- T1558.003 Kerberoasting Credential Access
- T1558.004 AS-REP Roasting Credential Access
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1565.002 Transmitted Data Manipulation Impact
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
- T1685.005 Clear Windows Event Logs Defense Impairment
- T1685.006 Clear Linux or Mac System Logs Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,799 | Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access. |
CWE-284 | Improper Access Control | 4,907 | Requiring authorization of wireless access before allowing connections enforces proper access control for this access method. |
CWE-863 | Incorrect Authorization | 3,305 | Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access. |
CWE-285 | Improper Authorization | 1,252 | The control explicitly requires authorization of each wireless access type prior to permitting connections. |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | 57 | Authorizing wireless access restricts the wireless communication channel to only intended endpoints. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-14346 | 2.0 | 9.8 | 0.0015 | good |
CVE-2025-30139 | 2.0 | 9.8 | 0.0025 | good |
CVE-2024-52325 | 2.0 | 9.6 | 0.0063 | good |
CVE-2025-69969 | 1.9 | 9.6 | 0.0005 | good |
CVE-2025-65824 | 1.8 | 8.8 | 0.0027 | good |
CVE-2024-34730 | 1.6 | 7.8 | 0.0001 | good |
CVE-2024-20153 | 1.5 | 7.5 | 0.0068 | good |
CVE-2025-65552 | 2.0 | 9.8 | 0.0015 | good |
CVE-2025-63353 | 2.0 | 9.8 | 0.0062 | good |
CVE-2025-30115 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-30133 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-30106 | 1.8 | 8.8 | 0.0006 | good |
CVE-2026-31408 UPD | 1.8 | 8.8 | 0.0003 | partial |
CVE-2026-4272 | 1.6 | 8.1 | 0.0003 | good |
CVE-2025-30142 | 1.6 | 8.1 | 0.0002 | good |
CVE-2024-8893 | 1.5 | 7.3 | 0.0015 | partial |
CVE-2026-26048 | 1.5 | 7.5 | 0.0004 | good |
CVE-2024-49747 | 2.3 | 9.8 | 0.0517 | partial |
CVE-2025-22403 | 2.1 | 9.8 | 0.0226 | partial |
CVE-2025-22408 | 2.1 | 9.8 | 0.0198 | partial |
CVE-2024-45434 | 2.1 | 9.8 | 0.0206 | partial |
CVE-2025-0074 | 2.1 | 9.8 | 0.0178 | partial |
CVE-2026-21638 | 1.8 | 8.8 | 0.0022 | partial |
CVE-2026-31773 UPD | 1.8 | 8.8 | 0.0004 | partial |
CVE-2026-0073 | 1.8 | 8.8 | 0.0001 | good |