CWE · MITRE source
CWE-424Improper Protection of Alternate Path
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
Last updated: 04 July 2026 11:13 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 8 mapping(s) from 7 framework(s): CAPEC 2 (partial) · OWASP-Web 1 (mostly) · STIG oracle linux 9 1 (partial) · STIG rhel 9 1 (partial) · STIG ubuntu 22 04 1 (partial) · STIG ubuntu 24 04 1 (partial) · ATT&CK 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-17 | Remote Access | AC | Documenting requirements and authorizing remote access ensures proper protection of alternate paths. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-58136 KEV | 10.0 | 9.0 | 0.8778 | 2025-04-10 |
CVE-2025-48827 UPD | 8.0 | 10.0 | 0.6965 | 2025-05-27 |
CVE-2025-48828 UPD | 7.0 | 9.0 | 0.4836 | 2025-05-27 |
CVE-2019-18996 | 5.5 | 7.1 | 0.0040 | 2019-12-18 |
CVE-2023-0629 | 5.5 | 7.1 | 0.0022 | 2023-03-13 |
CVE-2023-5165 | 5.5 | 7.1 | 0.0022 | 2023-09-25 |
CVE-2024-3459 | 5.5 | 8.4 | 0.0027 | 2024-05-14 |
CVE-2024-3460 | 5.5 | 7.4 | 0.0027 | 2024-05-14 |
CVE-2023-52952 | 5.5 | 8.5 | 0.0017 | 2024-10-08 |
CVE-2025-68939 | 5.5 | 8.2 | 0.0029 | 2025-12-26 |
CVE-2019-18997 | 3.5 | 4.3 | 0.0152 | 2019-12-18 |
CVE-2021-3793 | 3.5 | 6.5 | 0.0067 | 2021-11-12 |
CVE-2022-24932 | 3.5 | 4.2 | 0.0010 | 2022-03-10 |
CVE-2022-28782 | 3.5 | 4.6 | 0.0010 | 2022-05-03 |
CVE-2022-1742 | 3.5 | 6.8 | 0.0028 | 2022-06-24 |
CVE-2023-46176 | 3.5 | 6.7 | 0.0018 | 2023-11-03 |
CVE-2023-20272 | 3.5 | 6.7 | 0.0089 | 2023-11-21 |
CVE-2024-3927 | 3.5 | 5.3 | 0.0043 | 2024-05-22 |
CVE-2024-8311 | 3.5 | 6.5 | 0.0054 | 2024-09-12 |
CVE-2025-46654 UPD | 3.5 | 4.9 | 0.0021 | 2025-04-26 |
CVE-2025-46655 UPD | 3.5 | 4.9 | 0.0020 | 2025-04-26 |
CVE-2025-49162 UPD | 3.5 | 6.4 | 0.0016 | 2025-06-03 |
CVE-2025-49163 UPD | 3.5 | 6.7 | 0.0014 | 2025-06-03 |
CVE-2025-6250 UPD | 3.5 | 6.7 | 0.0016 | 2025-07-28 |
CVE-2025-58079 | 3.5 | 4.3 | 0.0027 | 2025-10-16 |