CWE · MITRE source
CWE-522Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 26 mapping(s) from 4 framework(s): ATT&CK 12 (full) · CAPEC 12 (partial) · ASVS 5.0 1 (mostly) · OWASP-Web 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A06:2025 Insecure Design.
NIST 800-53 r5 controls that address this weakness (7)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AT-2 | Literacy Training and Awareness | AT | Training instructs users on protecting credentials from disclosure or unauthorized access. |
AT-4 | Training Records | AT | Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials. |
SC-28 | Protection of Information at Rest | SC | Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores. |
SC-37 | Out-of-band Channels | SC | Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport. |
IA-5 | Authenticator Management | IA | Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials. |
PL-4 | Rules of Behavior | PL | Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials. |
PS-4 | Personnel Termination | PS | Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2014-1812 KEV | 10.0 | 8.8 | 0.6512 | 2014-05-14 |
CVE-2017-9248 KEV | 10.0 | 9.8 | 0.7510 | 2017-07-03 |
CVE-2020-29583 KEV | 10.0 | 9.8 | 0.9005 | 2020-12-22 |
CVE-2021-22681 KEV | 10.0 | 9.8 | 0.2545 | 2021-03-03 |
CVE-2021-30116 KEV | 10.0 | 10.0 | 0.8562 | 2021-07-09 |
CVE-2017-7925 | 8.0 | 9.8 | 0.5206 | 2017-05-06 |
CVE-2018-9160 | 8.0 | 9.8 | 0.7652 | 2018-03-31 |
CVE-2019-17662 | 8.0 | 9.8 | 0.9676 | 2019-10-16 |
CVE-2014-6039 | 8.0 | 7.5 | 0.6878 | 2020-01-13 |
CVE-2024-32238 | 8.0 | 9.8 | 0.5323 | 2024-04-22 |
CVE-2024-44000 | 8.0 | 9.8 | 0.8318 | 2024-10-20 |
CVE-2000-0944 | 7.0 | 9.8 | 0.1127 | 2000-12-19 |
CVE-2005-3435 | 7.0 | 9.8 | 0.0233 | 2005-11-02 |
CVE-2007-0681 | 7.0 | 9.8 | 0.0504 | 2007-02-03 |
CVE-2017-5139 | 7.0 | 9.8 | 0.0174 | 2017-02-13 |
CVE-2017-5140 | 7.0 | 9.8 | 0.0174 | 2017-02-13 |
CVE-2017-8225 | 7.0 | 9.8 | 0.1787 | 2017-04-25 |
CVE-2017-7913 | 7.0 | 9.8 | 0.0118 | 2017-05-29 |
CVE-2017-8837 | 7.0 | 9.8 | 0.0494 | 2017-06-05 |
CVE-2017-6028 | 7.0 | 9.8 | 0.0225 | 2017-06-30 |
CVE-2017-7905 | 7.0 | 9.8 | 0.0128 | 2017-06-30 |
CVE-2017-7315 | 7.0 | 9.8 | 0.0212 | 2017-07-04 |
CVE-2017-6709 | 7.0 | 9.8 | 0.0129 | 2017-07-06 |
CVE-2017-11349 | 7.0 | 9.8 | 0.0200 | 2017-07-17 |
CVE-2017-6532 | 7.0 | 9.8 | 0.0146 | 2017-07-20 |