NIST 800-53 r5 · Controls catalogue · Family IA
IA-6Authentication Feedback
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: partial · 1 mapping(s) from 1 framework(s): ASVS 5.0 1 (partial)
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (8)
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.005 VNC Lateral Movement
- T1530 Data from Cloud Storage Collection
- T1563 Remote Service Session Hijacking Lateral Movement
- T1578 Modify Cloud Compute Infrastructure Defense Impairment
- T1578.001 Create Snapshot Defense Impairment
- T1578.002 Create Cloud Instance Defense Impairment
- T1578.003 Delete Cloud Instance Defense Impairment
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,501 | Obscuring authentication feedback prevents exposure of sensitive information such as valid usernames or failure reasons to unauthorized actors. |
CWE-209 | Generation of Error Message Containing Sensitive Information | 666 | The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses. |
CWE-549 | Missing Password Field Masking | 16 | Obscuring feedback includes masking password input (e.g., asterisks), which addresses the weakness of missing password field masking. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2016-20030 UPD | 7.0 | 9.8 | 0.0056 | good |
CVE-2025-31229 UPD | 7.0 | 9.1 | 0.0072 | good |
CVE-2022-41697 | 6.0 | 5.3 | 0.2020 | good |
CVE-2025-2277 | 5.5 | 7.5 | 0.0052 | good |
CVE-2025-12455 | 5.5 | 7.5 | 0.0030 | good |
CVE-2026-25222 | 5.5 | 7.5 | 0.0041 | good |
CVE-2024-25734 UPD | 5.5 | 7.5 | 0.0405 | good |
CVE-2023-6421 | 5.5 | 7.5 | 0.0244 | good |
CVE-2022-28987 | 3.5 | 5.3 | 0.0970 | good |
CVE-2025-12995 | 5.5 | 8.1 | 0.0029 | partial |
CVE-2025-15103 | 5.5 | 8.1 | 0.0031 | good |
CVE-2026-33419 | 5.5 | 7.5 | 0.0039 | good |
CVE-2026-4113 | 5.5 | 7.2 | 0.0036 | good |
CVE-2025-24011 | 3.5 | 5.3 | 0.0145 | good |
CVE-2026-6284 | 7.0 | 9.1 | 0.0045 | partial |
CVE-2026-34578 | 5.5 | 8.2 | 0.0042 | good |
CVE-2025-68621 | 5.5 | 7.4 | 0.0051 | partial |