NIST 800-53 r5 · Controls catalogue · Family SC
SC-14Public Access Protections
Public Access Protections
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,259 | Limits disclosure of sensitive information by ensuring only authorized actors can reach it through public interfaces. |
CWE-862 | Missing Authorization | 8,796 | Forces explicit authorization enforcement before any public request can affect protected data or functions. |
CWE-284 | Improper Access Control | 4,905 | Directly requires mechanisms to restrict public users from unauthorized actions on system resources. |
CWE-863 | Incorrect Authorization | 3,303 | Addresses incorrect policy decisions that would otherwise allow public users to exceed intended privileges. |
CWE-306 | Missing Authentication for Critical Function | 2,600 | Requires authentication gates on critical functions that must remain unavailable to anonymous public users. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Requires correct permission settings on public-facing resources to block unauthorized read/write access. |
CWE-285 | Improper Authorization | 1,252 | Mandates authorization checks so public access cannot perform disallowed operations or modifications. |
CWE-668 | Exposure of Resource to Wrong Sphere | 788 | Enforces separation so resources are not placed in a public sphere without explicit protection. |
CWE-552 | Files or Directories Accessible to External Parties | 551 | Prevents public exposure of files or directories that should not be reachable by unauthenticated parties. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-66603 | 2.0 | 9.8 | 0.0007 | good |
CVE-2025-41240 | 2.0 | 10.0 | 0.0039 | good |
CVE-2025-60949 | 1.8 | 9.1 | 0.0005 | good |
CVE-2025-13371 | 1.7 | 8.6 | 0.0031 | good |
CVE-2026-35408 UPD | 1.7 | 8.7 | 0.0001 | good |
CVE-2026-30617 UPD | 1.7 | 8.6 | 0.0021 | good |
CVE-2026-41055 | 1.7 | 8.6 | 0.0005 | good |
CVE-2025-27615 | 1.6 | 8.2 | 0.0006 | good |
CVE-2024-13622 | 1.5 | 7.5 | 0.0017 | good |
CVE-2024-12315 | 1.5 | 7.5 | 0.0043 | good |
CVE-2025-25281 | 1.5 | 7.5 | 0.0033 | good |
CVE-2026-35185 | 1.5 | 7.5 | 0.0010 | good |
CVE-2018-25164 | 1.5 | 7.5 | 0.0009 | good |
CVE-2024-13641 | 1.2 | 5.9 | 0.0032 | good |
CVE-2024-52367 | 1.1 | 5.3 | 0.0010 | good |
CVE-2024-11396 | 4.3 | 5.3 | 0.5417 | good |
CVE-2024-12008 | 3.1 | 5.3 | 0.3348 | good |
CVE-2026-27944 | 2.3 | 9.8 | 0.0607 | good |
CVE-2026-24477 | 2.2 | 7.5 | 0.1122 | good |
CVE-2026-23693 | 2.0 | 10.0 | 0.0020 | good |
CVE-2019-25337 | 2.0 | 9.8 | 0.0017 | good |
CVE-2025-70841 | 2.0 | 10.0 | 0.0010 | good |
CVE-2026-22237 | 2.0 | 9.8 | 0.0056 | good |
CVE-2020-36923 | 2.0 | 9.8 | 0.0024 | good |
CVE-2025-63223 | 2.0 | 9.8 | 0.0080 | good |