Cyber Resilience

CWE · MITRE source

CWE-1390Weak Authentication

Abstraction: Class · CVEs in our corpus: 82

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

Attackers may be able to bypass weak authentication faster and/or with less effort than expected.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 26 mapping(s) from 9 framework(s): ATT&CK 11 (mostly) · ASVS 5.0 8 (mostly) · OWASP-Web 1 (full) · STIG rhel 7 1 (mostly) · STIG rhel 8 1 (mostly) · STIG ubuntu 22 04 1 (mostly) · STIG windows 10 1 (mostly) · STIG windows 11 1 (mostly) · STIG oracle linux 8 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A07:2025 Authentication Failures.

NIST 800-53 r5 controls that address this weakness (5)AI

Showing the 4 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
IA-1Policy and ProceduresIAThe IA policy requires strong authentication methods, reducing use of weak authentication.
IA-10Adaptive AuthenticationIAEnforces dynamic, context-aware authentication that mitigates weak static authentication by increasing requirements based on risk or conditions.
IA-2Identification and Authentication (Organizational Users)IAEnforces authentication for users, reducing the viability of weak authentication mechanisms.
AC-9Previous Logon NotificationACHelps detect exploitation of weak authentication mechanisms by notifying of previous unauthorized logons.
Show 1 more broadly-applicable controls
IA-7Cryptographic Module AuthenticationIARequires authentication mechanisms to meet applicable standards and guidelines, preventing weak authentication.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-405548.09.80.58452026-01-28
CVE-2022-434007.09.80.00882022-10-21
CVE-2023-493407.09.80.00862024-03-09
CVE-2024-344517.09.10.00772024-06-16
CVE-2024-398487.09.10.00442024-06-29
CVE-2024-381827.09.00.00892024-07-31
CVE-2024-453677.09.10.00522024-10-03
CVE-2024-132397.09.80.00542025-01-09
CVE-2024-488867.09.00.00462025-01-14
CVE-2025-13877.09.80.00542025-02-17
CVE-2024-540927.09.80.00722025-04-08
CVE-2025-39596 UPD7.09.80.00502025-04-17
CVE-2025-128707.09.80.00582025-11-12
CVE-2025-128717.09.80.00542025-11-12
CVE-2025-638077.09.80.00442025-11-20
CVE-2023-538947.09.80.00552025-12-16
CVE-2025-405527.09.80.49732026-01-28
CVE-2025-304117.010.00.00622026-02-20
CVE-2025-304127.010.00.00552026-02-20
CVE-2026-287107.09.80.00412026-03-06
CVE-2026-274787.09.10.00182026-03-11
CVE-2026-68867.09.80.00452026-04-23
CVE-2026-6274 UPD7.09.80.00462026-06-05
CVE-2024-08225.57.50.00712024-01-25
CVE-2024-298375.58.80.00512024-04-15