CWE · MITRE source
CWE-290Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 27 mapping(s) from 7 framework(s): ATT&CK 10 (mostly) · CAPEC 10 (partial) · ASVS 5.0 3 (mostly) · OWASP-Web 1 (full) · STIG oracle linux 8 1 (mostly) · STIG rhel 7 1 (mostly) · STIG rhel 8 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (11)AI
Showing the 8 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-11 | Trusted Path | SC | Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts. |
SC-20 | Secure Name/Address Resolution Service (Authoritative Source) | SC | Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source. |
SC-21 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | SC | Directly counters DNS response spoofing by requiring cryptographic origin authentication before trusting resolved names/addresses. |
IA-12 | Identity Proofing | IA | Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts. |
IA-3 | Device Identification and Authentication | IA | Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve. |
IA-8 | Identification and Authentication (Non-organizational Users) | IA | Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing. |
AC-9 | Previous Logon Notification | AC | Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login. |
AT-2 | Literacy Training and Awareness | AT | Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass. |
Show 3 more broadly-applicable controls
SC-23 | Session Authenticity | SC | Requires cryptographic or protocol-level verification that blocks spoofed session establishment or continuation. |
SC-40 | Wireless Link Protection | SC | Signal-parameter protections (e.g., cryptographic authentication, anti-spoofing) directly counter spoofing-based authentication bypass. |
IA-9 | Service Identification and Authentication | IA | Unique identification and authentication of services before communications makes spoofing of service identities substantially harder. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-23131 KEV | 10.0 | 9.1 | 0.9568 | 2022-01-13 |
CVE-2022-24112 KEV | 10.0 | 9.8 | 0.9618 | 2022-02-11 |
CVE-2023-50224 KEV | 10.0 | 6.5 | 0.1745 | 2024-05-03 |
CVE-2024-4358 KEV | 10.0 | 9.8 | 0.9748 | 2024-05-29 |
CVE-2024-54085 KEV | 10.0 | 9.8 | 0.6120 | 2025-03-11 |
CVE-2019-1234 | 8.0 | 7.5 | 0.5794 | 2019-11-12 |
CVE-2021-29441 | 8.0 | 8.6 | 0.7424 | 2021-04-27 |
CVE-2021-31195 | 8.0 | 6.5 | 0.7368 | 2021-05-11 |
CVE-2020-7388 | 8.0 | 10.0 | 0.7027 | 2021-07-22 |
CVE-2021-34646 | 8.0 | 9.8 | 0.5087 | 2021-08-30 |
CVE-2009-1048 | 7.0 | 9.8 | 0.0637 | 2009-08-14 |
CVE-2017-14003 | 7.0 | 9.8 | 0.0260 | 2017-10-11 |
CVE-2017-14375 | 7.0 | 9.8 | 0.0477 | 2017-11-01 |
CVE-2017-14487 | 7.0 | 9.1 | 0.0116 | 2017-12-01 |
CVE-2018-15715 | 7.0 | 9.8 | 0.0349 | 2018-11-30 |
CVE-2018-7842 | 7.0 | 9.8 | 0.3504 | 2019-05-22 |
CVE-2019-16378 | 7.0 | 9.8 | 0.0246 | 2019-09-17 |
CVE-2019-18259 | 7.0 | 9.8 | 0.0211 | 2019-12-16 |
CVE-2019-16871 | 7.0 | 9.8 | 0.0530 | 2019-12-19 |
CVE-2019-12131 | 7.0 | 9.1 | 0.0118 | 2020-03-18 |
CVE-2019-20790 | 7.0 | 9.8 | 0.0266 | 2020-04-27 |
CVE-2020-5415 | 7.0 | 10.0 | 0.0122 | 2020-08-12 |
CVE-2018-5353 | 7.0 | 9.8 | 0.0810 | 2020-09-30 |
CVE-2020-26276 | 7.0 | 10.0 | 0.0217 | 2020-12-17 |
CVE-2020-22001 | 7.0 | 9.8 | 0.0341 | 2021-04-27 |