Cyber Resilience

CWE · MITRE source

CWE-522Insufficiently Protected Credentials

Abstraction: Class · CVEs in our corpus: 1,371

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 26 mapping(s) from 4 framework(s): ATT&CK 12 (full) · CAPEC 12 (partial) · ASVS 5.0 1 (mostly) · OWASP-Web 1 (mostly)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A06:2025 Insecure Design.

NIST 800-53 r5 controls that address this weakness (7)AI

Control Title Family Why it addresses this CWE
AT-2Literacy Training and AwarenessATTraining instructs users on protecting credentials from disclosure or unauthorized access.
AT-4Training RecordsATTraining records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.
SC-28Protection of Information at RestSCRequiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.
SC-37Out-of-band ChannelsSCCredentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.
IA-5Authenticator ManagementIAProtecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
PL-4Rules of BehaviorPLRules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.
PS-4Personnel TerminationPSTerminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2014-1812 KEV10.08.80.65122014-05-14
CVE-2017-9248 KEV10.09.80.75102017-07-03
CVE-2020-29583 KEV10.09.80.90052020-12-22
CVE-2021-22681 KEV10.09.80.25452021-03-03
CVE-2021-30116 KEV10.010.00.85622021-07-09
CVE-2017-79258.09.80.52062017-05-06
CVE-2018-91608.09.80.76522018-03-31
CVE-2019-176628.09.80.96762019-10-16
CVE-2014-60398.07.50.68782020-01-13
CVE-2024-322388.09.80.53232024-04-22
CVE-2024-440008.09.80.83182024-10-20
CVE-2000-09447.09.80.11272000-12-19
CVE-2005-34357.09.80.02332005-11-02
CVE-2007-06817.09.80.05042007-02-03
CVE-2017-51397.09.80.01742017-02-13
CVE-2017-51407.09.80.01742017-02-13
CVE-2017-82257.09.80.17872017-04-25
CVE-2017-79137.09.80.01182017-05-29
CVE-2017-88377.09.80.04942017-06-05
CVE-2017-60287.09.80.02252017-06-30
CVE-2017-79057.09.80.01282017-06-30
CVE-2017-73157.09.80.02122017-07-04
CVE-2017-67097.09.80.01292017-07-06
CVE-2017-113497.09.80.02002017-07-17
CVE-2017-65327.09.80.01462017-07-20