NIST 800-53 r5 · Controls catalogue · Family SC
SC-23Session Authenticity
Protect the authenticity of communications sessions.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (10)
- aws-config-elb-tls-https-listeners-only ELB / ALB listeners use HTTPS or TLS AWS::ElasticLoadBalancingV2::Listener partial protect enforce
- aws-config-alb-http-to-https-redirection-check Alb Http To Https Redirection Check AWS::ElasticLoadBalancingV2::LoadBalancer partial protect enforce
- aws-config-api-gw-ssl-enabled Api Gw Ssl Enabled AWS::ApiGateway::Stage partial protect enforce
- aws-config-elasticsearch-node-to-node-encryption-check Elasticsearch Node To Node Encryption Check AWS::OpenSearchService::Domain partial protect enforce
- aws-config-elb-acm-certificate-required Elb Acm Certificate Required AWS::ElasticLoadBalancing::LoadBalancer partial protect enforce
- aws-config-elbv2-acm-certificate-required Elbv2 Acm Certificate Required AWS::ElasticLoadBalancingV2::LoadBalancer partial protect enforce
- aws-config-opensearch-https-required Opensearch Https Required AWS::OpenSearchService::Domain partial protect enforce
- aws-config-opensearch-node-to-node-encryption-check Opensearch Node To Node Encryption Check AWS::OpenSearchService::Domain partial protect enforce
- aws-config-redshift-require-tls-ssl Redshift Require Tls Ssl AWS::Redshift::Cluster partial protect enforce
- aws-config-s3-bucket-ssl-requests-only S3 Bucket Ssl Requests Only AWS::S3::Bucket partial protect enforce CIS §2.1.1Hub S3.5
ATT&CK techniques this control mitigates (20)
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
- T1071.002 File Transfer Protocols Command And Control
- T1071.003 Mail Protocols Command And Control
- T1071.004 DNS Command And Control
- T1185 Browser Session Hijacking Collection
- T1535 Unused/Unsupported Cloud Regions Stealth
- T1550.004 Web Session Cookie Lateral Movement
- T1557 Adversary-in-the-Middle Credential Access, Collection
- T1557.001 Name Resolution Poisoning and SMB Relay Credential Access, Collection
- T1557.002 ARP Cache Poisoning Credential Access, Collection
- T1557.003 DHCP Spoofing Credential Access, Collection
- T1557.004 Evil Twin Credential Access, Collection
- T1563.001 SSH Hijacking Lateral Movement
- T1573 Encrypted Channel Command And Control
- T1573.001 Symmetric Cryptography Command And Control
- T1573.002 Asymmetric Cryptography Command And Control
- T1622 Debugger Evasion Stealth, Discovery
- T1685 Disable or Modify Tools Defense Impairment
- T1688 Safe Mode Boot Defense Impairment
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-319 | Cleartext Transmission of Sensitive Information | 1,051 | Eliminates cleartext exposure of session identifiers or tokens that would allow hijacking. |
CWE-290 | Authentication Bypass by Spoofing | 642 | Requires cryptographic or protocol-level verification that blocks spoofed session establishment or continuation. |
CWE-346 | Origin Validation Error | 556 | Mandates origin validation so that only legitimate endpoints can continue the authenticated session. |
CWE-384 | Session Fixation | 474 | Enforces proper session ID generation and binding, preventing fixation of a known session token. |
CWE-294 | Authentication Bypass by Capture-replay | 266 | Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels. |
CWE-300 | Channel Accessible by Non-Endpoint | 53 | Directly prevents non-endpoint access or interception of the session communication path. |
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | 52 | Forces the Secure flag on session cookies, preventing their transmission over unauthenticated HTTP channels. |
CWE-940 | Improper Verification of Source of a Communication Channel | 47 | Requires explicit verification of the communication source, blocking session hijacking via spoofed or alternate channels. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-23922 UPD | 2.2 | 10.0 | 0.0372 | good |
CVE-2025-52689 | 2.1 | 9.8 | 0.0157 | good |
CVE-2026-27755 | 2.0 | 9.8 | 0.0015 | good |
CVE-2025-63216 | 2.0 | 10.0 | 0.0016 | good |
CVE-2025-25101 UPD | 2.0 | 9.6 | 0.0124 | good |
CVE-2023-53968 | 2.0 | 9.8 | 0.0058 | good |
CVE-2025-25379 | 2.0 | 9.6 | 0.0085 | good |
CVE-2024-13279 | 2.0 | 9.8 | 0.0018 | good |
CVE-2025-63666 | 2.0 | 9.8 | 0.0010 | good |
CVE-2026-30789 | 2.0 | 9.8 | 0.0018 | good |
CVE-2018-25318 | 2.0 | 9.8 | 0.0016 | good |
CVE-2026-35903 UPD | 2.0 | 9.8 | 0.0002 | good |
CVE-2026-25101 | 2.0 | 9.8 | 0.0006 | good |
CVE-2026-3256 | 2.0 | 9.8 | 0.0002 | good |
CVE-2018-25316 | 2.0 | 9.8 | 0.0016 | good |
CVE-2025-40926 | 2.0 | 9.8 | 0.0008 | good |
CVE-2026-30793 | 2.0 | 9.8 | 0.0004 | good |
CVE-2026-24352 | 2.0 | 9.8 | 0.0002 | good |
CVE-2026-23796 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-67135 | 2.0 | 9.8 | 0.0002 | good |
CVE-2024-51144 | 1.9 | 8.8 | 0.0312 | good |
CVE-2025-25107 UPD | 1.9 | 9.6 | 0.0014 | good |
CVE-2026-39640 UPD | 1.9 | 9.6 | 0.0002 | good |
CVE-2026-40471 | 1.9 | 9.6 | 0.0002 | good |
CVE-2025-25106 UPD | 1.9 | 9.6 | 0.0010 | good |