Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-23Session Authenticity

Protect the authenticity of communications sessions.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 3 mapping(s) from 1 framework(s): ASVS 5.0 3 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (10)

ATT&CK techniques this control mitigates (20)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-319Cleartext Transmission of Sensitive Information1,076Eliminates cleartext exposure of session identifiers or tokens that would allow hijacking.
CWE-290Authentication Bypass by Spoofing698Requires cryptographic or protocol-level verification that blocks spoofed session establishment or continuation.
CWE-346Origin Validation Error661Mandates origin validation so that only legitimate endpoints can continue the authenticated session.
CWE-384Session Fixation489Enforces proper session ID generation and binding, preventing fixation of a known session token.
CWE-294Authentication Bypass by Capture-replay280Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels.
CWE-614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute60Forces the Secure flag on session cookies, preventing their transmission over unauthenticated HTTP channels.
CWE-940Improper Verification of Source of a Communication Channel55Requires explicit verification of the communication source, blocking session hijacking via spoofed or alternate channels.
CWE-300Channel Accessible by Non-Endpoint54Directly prevents non-endpoint access or interception of the session communication path.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2022-23131 KEV10.09.10.9568good
CVE-2022-287318.06.50.5626good
CVE-2026-277557.09.80.0040good
CVE-2025-632167.010.00.0071good
CVE-2023-539687.09.80.0056good
CVE-2025-253797.09.60.0027good
CVE-2024-132797.09.80.0044good
CVE-2025-636667.09.80.0043good
CVE-2026-307897.09.80.0027good
CVE-2018-253187.09.80.0065good
CVE-2026-359037.09.80.0049good
CVE-2025-251077.09.60.0022good
CVE-2026-251017.09.80.0036good
CVE-2026-396407.09.60.0014good
CVE-2026-3256 UPD7.09.80.0053good
CVE-2026-404717.09.60.0014good
CVE-2025-251067.09.60.0022good
CVE-2018-253167.09.80.0065good
CVE-2026-396177.09.60.0014good
CVE-2024-455387.09.60.0031good
CVE-2025-687177.09.40.0052good
CVE-2024-488497.09.40.0089good
CVE-2026-50857.09.10.0034good
CVE-2025-262067.09.00.0054good
CVE-2025-409267.09.80.0043good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9