CWE · MITRE source
CWE-288Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 14 mapping(s) from 7 framework(s): STIG rhel 7 3 (mostly) · ATT&CK 3 (partial) · STIG oracle linux 9 2 (full) · STIG oracle linux 8 2 (mostly) · ASVS 5.0 2 (partial) · OWASP-Web 1 (full) · CAPEC 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (6)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-10 | Adaptive Authentication | IA | Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths. |
IA-13 | Identity Providers and Authorization Servers | IA | Centralized IdPs close alternate authentication paths that enable bypass. |
IA-8 | Identification and Authentication (Non-organizational Users) | IA | Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels. |
AC-17 | Remote Access | AC | Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels. |
AC-9 | Previous Logon Notification | AC | Users can identify logons via alternate paths or channels by reviewing the previous logon time. |
SC-11 | Trusted Path | SC | Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-10148 KEV | 10.0 | 9.8 | 0.9198 | 2020-12-29 |
CVE-2023-20269 KEV | 10.0 | 5.0 | 0.2158 | 2023-09-06 |
CVE-2023-42793 KEV | 10.0 | 9.8 | 0.9998 | 2023-09-19 |
CVE-2023-46747 KEV | 10.0 | 9.8 | 0.9651 | 2023-10-26 |
CVE-2024-1709 KEV UPD | 10.0 | 10.0 | 0.9996 | 2024-02-21 |
CVE-2024-27198 KEV UPD | 10.0 | 9.8 | 0.9994 | 2024-03-04 |
CVE-2024-55591 KEV | 10.0 | 9.8 | 0.9826 | 2025-01-14 |
CVE-2025-24472 KEV | 10.0 | 8.1 | 0.0299 | 2025-02-11 |
CVE-2025-2746 KEV | 10.0 | 9.8 | 0.5843 | 2025-03-24 |
CVE-2025-2747 KEV | 10.0 | 9.8 | 0.9216 | 2025-03-24 |
CVE-2025-4427 KEV UPD | 10.0 | 5.3 | 0.9989 | 2025-05-13 |
CVE-2025-34026 KEV UPD | 10.0 | 7.5 | 0.8348 | 2025-05-21 |
CVE-2025-57819 KEV UPD | 10.0 | 9.8 | 0.9329 | 2025-08-28 |
CVE-2026-23760 KEV | 10.0 | 9.8 | 0.9627 | 2026-01-22 |
CVE-2026-24858 KEV UPD | 10.0 | 9.8 | 0.8584 | 2026-01-27 |
CVE-2026-1603 KEV | 10.0 | 8.6 | 0.8109 | 2026-02-10 |
CVE-2017-5174 | 8.0 | 9.8 | 0.5229 | 2017-05-19 |
CVE-2022-35869 | 8.0 | 9.8 | 0.6029 | 2022-07-25 |
CVE-2023-2732 | 8.0 | 9.8 | 0.6751 | 2023-05-25 |
CVE-2024-23917 UPD | 8.0 | 9.8 | 0.5373 | 2024-02-06 |
CVE-2024-7314 | 8.0 | 9.8 | 0.5147 | 2024-08-02 |
CVE-2024-10924 | 8.0 | 9.8 | 0.8172 | 2024-11-15 |
CVE-2024-13179 | 8.0 | 7.3 | 0.6181 | 2025-01-14 |
CVE-2024-56325 | 8.0 | 9.8 | 0.7867 | 2025-04-01 |
CVE-2017-9944 | 7.0 | 9.8 | 0.0298 | 2017-12-27 |