CWE · MITRE source
CWE-257Storing Passwords in a Recoverable Format
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 6 mapping(s) from 3 framework(s): ATT&CK 4 (mostly) · ASVS 5.0 1 (full) · CAPEC 1 (partial)
NIST 800-53 r5 controls that address this weakness (0)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
| No NIST controls proposed yet. | |||
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2026-20128 KEV | 10.0 | 7.5 | 0.0527 | 2026-02-25 |
CVE-2017-9942 | 5.5 | 7.8 | 0.0027 | 2017-08-08 |
CVE-2019-3736 | 5.5 | 7.2 | 0.0070 | 2019-09-27 |
CVE-2021-27485 | 5.5 | 7.5 | 0.0117 | 2021-06-16 |
CVE-2022-34838 | 5.5 | 8.1 | 0.0015 | 2022-08-24 |
CVE-2022-22251 | 5.5 | 7.8 | 0.0016 | 2022-10-18 |
CVE-2023-21726 | 5.5 | 7.8 | 0.0048 | 2023-01-10 |
CVE-2022-32519 | 5.5 | 8.0 | 0.0047 | 2023-01-30 |
CVE-2023-31150 | 5.5 | 8.0 | 0.0047 | 2023-05-10 |
CVE-2022-47376 | 5.5 | 7.3 | 0.0016 | 2023-06-13 |
CVE-2023-5627 | 5.5 | 7.5 | 0.0031 | 2023-11-01 |
CVE-2024-1480 | 5.5 | 7.5 | 0.0050 | 2024-04-19 |
CVE-2025-6995 UPD | 5.5 | 8.4 | 0.0019 | 2025-07-08 |
CVE-2025-6996 UPD | 5.5 | 8.4 | 0.0019 | 2025-07-08 |
CVE-2025-8904 UPD | 5.5 | 8.5 | 0.0031 | 2025-08-13 |
CVE-2025-0280 UPD | 5.5 | 7.5 | 0.0010 | 2025-09-03 |
CVE-2016-15058 | 5.5 | 8.1 | 0.0021 | 2026-04-03 |
CVE-2018-5446 | 3.5 | 4.9 | 0.0039 | 2018-05-04 |
CVE-2019-5615 | 3.5 | 6.5 | 0.0080 | 2019-04-09 |
CVE-2019-6567 | 3.5 | 5.5 | 0.0030 | 2019-06-12 |
CVE-2019-1010241 | 3.5 | 6.5 | 0.0147 | 2019-07-19 |
CVE-2019-19096 | 3.5 | 6.1 | 0.0029 | 2020-04-02 |
CVE-2019-18256 | 3.5 | 4.6 | 0.0036 | 2020-06-29 |
CVE-2021-0220 | 3.5 | 6.8 | 0.0115 | 2021-01-15 |
CVE-2020-8296 | 3.5 | 6.7 | 0.0051 | 2021-03-03 |