CWE · MITRE source
CWE-294Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 17 mapping(s) from 4 framework(s): ATT&CK 8 (mostly) · CAPEC 6 (partial) · ASVS 5.0 2 (full) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-23 | Session Authenticity | SC | Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels. |
SC-40 | Wireless Link Protection | SC | Wireless link protections commonly incorporate replay protection, reducing the exploitability of capture-replay weaknesses. |
SC-45 | System Time Synchronization | SC | Accurate synchronized time enables tight timestamp windows that directly limit capture-replay windows in authentication protocols. |
AC-9 | Previous Logon Notification | AC | Allows detection of capture-replay attacks by showing the replayed logon's timestamp as the last logon. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2023-23397 KEV | 10.0 | 9.8 | 0.9741 | 2023-03-14 |
CVE-2017-3191 | 8.0 | 9.8 | 0.6253 | 2017-12-16 |
CVE-2017-6034 UPD | 7.0 | 9.8 | 0.0514 | 2017-06-30 |
CVE-2018-7790 | 7.0 | 9.8 | 0.0248 | 2018-08-29 |
CVE-2018-17903 | 7.0 | 9.1 | 0.0156 | 2018-10-24 |
CVE-2019-9659 | 7.0 | 9.1 | 0.0133 | 2019-03-11 |
CVE-2019-18226 | 7.0 | 9.8 | 0.0137 | 2019-10-31 |
CVE-2020-6972 | 7.0 | 9.1 | 0.0132 | 2020-03-24 |
CVE-2018-17932 | 7.0 | 9.8 | 0.0149 | 2020-11-02 |
CVE-2018-19025 | 7.0 | 9.8 | 0.0149 | 2020-11-02 |
CVE-2020-35551 | 7.0 | 9.8 | 0.0042 | 2020-12-18 |
CVE-2022-22806 | 7.0 | 9.8 | 0.1226 | 2022-03-09 |
CVE-2022-29334 | 7.0 | 9.8 | 0.0116 | 2022-05-24 |
CVE-2022-37011 | 7.0 | 9.8 | 0.0105 | 2022-09-13 |
CVE-2022-44457 | 7.0 | 9.8 | 0.0070 | 2022-11-08 |
CVE-2023-0014 | 7.0 | 9.0 | 0.0069 | 2023-01-10 |
CVE-2023-1537 | 7.0 | 9.8 | 0.0084 | 2023-03-21 |
CVE-2023-30909 | 7.0 | 9.8 | 0.0106 | 2023-09-14 |
CVE-2023-49231 | 7.0 | 9.8 | 0.4290 | 2024-03-29 |
CVE-2023-47435 | 7.0 | 9.8 | 0.0063 | 2024-04-19 |
CVE-2024-4009 | 7.0 | 9.2 | 0.0014 | 2024-06-05 |
CVE-2024-38438 | 7.0 | 9.8 | 0.0066 | 2024-07-21 |
CVE-2025-26201 | 7.0 | 9.1 | 0.0062 | 2025-02-24 |
CVE-2021-27289 | 7.0 | 9.1 | 0.0075 | 2025-04-15 |
CVE-2025-49752 | 7.0 | 10.0 | 0.0090 | 2025-11-20 |