CWE · MITRE source
CWE-1390Weak Authentication
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Attackers may be able to bypass weak authentication faster and/or with less effort than expected.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 26 mapping(s) from 9 framework(s): ATT&CK 11 (mostly) · ASVS 5.0 8 (mostly) · OWASP-Web 1 (full) · STIG rhel 7 1 (mostly) · STIG rhel 8 1 (mostly) · STIG ubuntu 22 04 1 (mostly) · STIG windows 10 1 (mostly) · STIG windows 11 1 (mostly) · STIG oracle linux 8 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (5)AI
Showing the 4 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-1 | Policy and Procedures | IA | The IA policy requires strong authentication methods, reducing use of weak authentication. |
IA-10 | Adaptive Authentication | IA | Enforces dynamic, context-aware authentication that mitigates weak static authentication by increasing requirements based on risk or conditions. |
IA-2 | Identification and Authentication (Organizational Users) | IA | Enforces authentication for users, reducing the viability of weak authentication mechanisms. |
AC-9 | Previous Logon Notification | AC | Helps detect exploitation of weak authentication mechanisms by notifying of previous unauthorized logons. |
Show 1 more broadly-applicable controls
IA-7 | Cryptographic Module Authentication | IA | Requires authentication mechanisms to meet applicable standards and guidelines, preventing weak authentication. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-40554 | 8.0 | 9.8 | 0.5845 | 2026-01-28 |
CVE-2022-43400 | 7.0 | 9.8 | 0.0088 | 2022-10-21 |
CVE-2023-49340 | 7.0 | 9.8 | 0.0086 | 2024-03-09 |
CVE-2024-34451 | 7.0 | 9.1 | 0.0077 | 2024-06-16 |
CVE-2024-39848 | 7.0 | 9.1 | 0.0044 | 2024-06-29 |
CVE-2024-38182 | 7.0 | 9.0 | 0.0089 | 2024-07-31 |
CVE-2024-45367 | 7.0 | 9.1 | 0.0052 | 2024-10-03 |
CVE-2024-13239 | 7.0 | 9.8 | 0.0054 | 2025-01-09 |
CVE-2024-48886 | 7.0 | 9.0 | 0.0046 | 2025-01-14 |
CVE-2025-1387 | 7.0 | 9.8 | 0.0054 | 2025-02-17 |
CVE-2024-54092 | 7.0 | 9.8 | 0.0072 | 2025-04-08 |
CVE-2025-39596 UPD | 7.0 | 9.8 | 0.0050 | 2025-04-17 |
CVE-2025-12870 | 7.0 | 9.8 | 0.0058 | 2025-11-12 |
CVE-2025-12871 | 7.0 | 9.8 | 0.0054 | 2025-11-12 |
CVE-2025-63807 | 7.0 | 9.8 | 0.0044 | 2025-11-20 |
CVE-2023-53894 | 7.0 | 9.8 | 0.0055 | 2025-12-16 |
CVE-2025-40552 | 7.0 | 9.8 | 0.4973 | 2026-01-28 |
CVE-2025-30411 | 7.0 | 10.0 | 0.0062 | 2026-02-20 |
CVE-2025-30412 | 7.0 | 10.0 | 0.0055 | 2026-02-20 |
CVE-2026-28710 | 7.0 | 9.8 | 0.0041 | 2026-03-06 |
CVE-2026-27478 | 7.0 | 9.1 | 0.0018 | 2026-03-11 |
CVE-2026-6886 | 7.0 | 9.8 | 0.0045 | 2026-04-23 |
CVE-2026-6274 UPD | 7.0 | 9.8 | 0.0046 | 2026-06-05 |
CVE-2024-0822 | 5.5 | 7.5 | 0.0071 | 2024-01-25 |
CVE-2024-29837 | 5.5 | 8.8 | 0.0051 | 2024-04-15 |