CWE · MITRE source
CWE-521Weak Password Requirements
The product does not require that users should have strong passwords.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 24 mapping(s) from 5 framework(s): ATT&CK 9 (mostly) · CAPEC 9 (partial) · ASVS 5.0 3 (mostly) · STIG rhel 7 2 (partial) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (8)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-1 | Policy and Procedures | IA | IA policy establishes password requirements, directly addressing weak password requirements. |
IA-5 | Authenticator Management | IA | Ensuring authenticators have sufficient strength of mechanism for intended use addresses weak password requirements. |
PM-15 | Security and Privacy Groups and Associations | PM | Facilitated training and awareness of current practices improves definition and enforcement of sufficiently strong password requirements. |
PM-3 | Information Security and Privacy Resources | PM | Dedicated security resources support deployment of strong authentication systems and enforcement of robust password policies. |
CM-6 | Configuration Settings | CM | Configuration settings can define and enforce strong password requirements to avoid weak policies. |
PL-9 | Central Management | PL | Organization-wide password and authentication policies are applied uniformly, preventing weak local password requirements. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Vulnerability scans assess password policies and weak credential requirements against benchmarks. |
SA-5 | System Documentation | SA | User documentation on maintaining security includes password requirements, directly mitigating weak password policies. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2019-18988 KEV | 10.0 | 7.0 | 0.0475 | 2020-02-07 |
CVE-2019-17444 | 8.0 | 9.8 | 0.6945 | 2020-10-12 |
CVE-2017-1196 | 7.0 | 9.8 | 0.0166 | 2017-06-07 |
CVE-2017-7903 UPD | 7.0 | 9.8 | 0.0274 | 2017-06-30 |
CVE-2017-9853 | 7.0 | 9.8 | 0.0172 | 2017-08-05 |
CVE-2017-12861 | 7.0 | 9.8 | 0.0334 | 2017-10-10 |
CVE-2017-1221 | 7.0 | 9.8 | 0.0158 | 2017-11-13 |
CVE-2017-14189 | 7.0 | 9.8 | 0.0278 | 2017-11-29 |
CVE-2017-3186 | 7.0 | 9.8 | 0.0609 | 2017-12-16 |
CVE-2017-16727 | 7.0 | 9.1 | 0.0151 | 2017-12-22 |
CVE-2018-1372 | 7.0 | 9.8 | 0.0224 | 2018-02-27 |
CVE-2018-1000134 | 7.0 | 9.8 | 0.0491 | 2018-03-16 |
CVE-2017-1601 | 7.0 | 9.8 | 0.0253 | 2018-05-02 |
CVE-2018-12925 | 7.0 | 9.8 | 0.0146 | 2018-06-28 |
CVE-2018-19064 | 7.0 | 9.8 | 0.0199 | 2018-11-07 |
CVE-2018-15719 | 7.0 | 9.8 | 0.0108 | 2018-12-12 |
CVE-2019-7674 | 7.0 | 9.8 | 0.0135 | 2019-02-09 |
CVE-2019-9123 | 7.0 | 9.8 | 0.0150 | 2019-02-25 |
CVE-2019-9950 | 7.0 | 9.8 | 0.0230 | 2019-04-24 |
CVE-2019-13918 | 7.0 | 9.8 | 0.0151 | 2019-09-13 |
CVE-2019-3758 | 7.0 | 9.8 | 0.0146 | 2019-09-18 |
CVE-2019-19690 | 7.0 | 9.8 | 0.0146 | 2019-12-18 |
CVE-2019-19747 | 7.0 | 9.8 | 0.0139 | 2019-12-20 |
CVE-2019-7488 | 7.0 | 9.8 | 0.0189 | 2019-12-23 |
CVE-2020-9023 | 7.0 | 9.8 | 0.0149 | 2020-02-17 |