Cyber Resilience

CWE · MITRE source

CWE-257Storing Passwords in a Recoverable Format

Abstraction: Base · CVEs in our corpus: 64

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 6 mapping(s) from 3 framework(s): ATT&CK 4 (mostly) · ASVS 5.0 1 (full) · CAPEC 1 (partial)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (0)AI

Control Title Family Why it addresses this CWE
No NIST controls proposed yet.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2026-20128 KEV10.07.50.05272026-02-25
CVE-2017-99425.57.80.00272017-08-08
CVE-2019-37365.57.20.00702019-09-27
CVE-2021-274855.57.50.01172021-06-16
CVE-2022-348385.58.10.00152022-08-24
CVE-2022-222515.57.80.00162022-10-18
CVE-2023-217265.57.80.00482023-01-10
CVE-2022-325195.58.00.00472023-01-30
CVE-2023-311505.58.00.00472023-05-10
CVE-2022-473765.57.30.00162023-06-13
CVE-2023-56275.57.50.00312023-11-01
CVE-2024-14805.57.50.00502024-04-19
CVE-2025-6995 UPD5.58.40.00192025-07-08
CVE-2025-6996 UPD5.58.40.00192025-07-08
CVE-2025-8904 UPD5.58.50.00312025-08-13
CVE-2025-0280 UPD5.57.50.00102025-09-03
CVE-2016-150585.58.10.00212026-04-03
CVE-2018-54463.54.90.00392018-05-04
CVE-2019-56153.56.50.00802019-04-09
CVE-2019-65673.55.50.00302019-06-12
CVE-2019-10102413.56.50.01472019-07-19
CVE-2019-190963.56.10.00292020-04-02
CVE-2019-182563.54.60.00362020-06-29
CVE-2021-02203.56.80.01152021-01-15
CVE-2020-82963.56.70.00512021-03-03