Cyber Resilience

CWE · MITRE source

CWE-295Improper Certificate Validation

Abstraction: Base · CVEs in our corpus: 1,425

The product does not validate, or incorrectly validates, a certificate.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 12 mapping(s) from 6 framework(s): STIG oracle linux 8 3 (full) · ATT&CK 3 (mostly) · STIG rhel 7 2 (mostly) · STIG rhel 8 2 (mostly) · CAPEC 1 (partial) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A07:2025 Authentication Failures.

NIST 800-53 r5 controls that address this weakness (3)AI

Control Title Family Why it addresses this CWE
SC-17Public Key Infrastructure CertificatesSCMandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.
SC-45System Time SynchronizationSCCorrect system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.
SA-19Component AuthenticitySAWhen certificates are used to establish component provenance, the control requires correct certificate validation procedures.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2020-0601 KEV10.08.10.89442020-01-14
CVE-2022-20703 KEV10.010.00.09202022-02-10
CVE-2022-26923 KEV10.08.80.83282022-05-10
CVE-2023-20963 KEV10.07.80.01442023-03-24
CVE-2023-41991 KEV10.05.50.04552023-09-21
CVE-2009-35558.09.80.87262009-11-09
CVE-2015-40008.03.70.99862015-05-21
CVE-2023-278238.09.80.52522023-05-12
CVE-2010-13787.09.80.01272010-11-15
CVE-2015-78267.09.80.01122017-04-10
CVE-2017-28007.09.80.08532017-05-24
CVE-2017-74067.09.80.00692017-07-07
CVE-2015-38867.09.80.01732017-07-21
CVE-2015-23207.09.80.03542018-01-08
CVE-2017-173017.09.80.00992018-02-15
CVE-2018-91277.09.80.00962018-04-02
CVE-2018-49917.09.80.05782018-05-19
CVE-2018-128297.09.80.05072018-08-29
CVE-2016-10000307.09.80.01842018-09-05
CVE-2018-153877.09.80.01102018-10-05
CVE-2019-62667.09.80.01202019-02-25
CVE-2019-65927.09.10.01042019-02-26
CVE-2018-117477.09.80.00722019-03-21
CVE-2019-83517.09.10.01312019-03-21
CVE-2018-59267.09.10.01172019-03-27