CWE · MITRE source
CWE-613Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 5 mapping(s) from 2 framework(s): ATT&CK 4 (partial) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (8)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-11 | Device Lock | AC | Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access. |
AC-12 | Session Termination | AC | Automatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit. |
SC-10 | Network Disconnect | SC | Directly enforces termination of network sessions after inactivity or end-of-session, preventing indefinite session lifetime. |
SC-45 | System Time Synchronization | SC | Consistent clocks across systems allow session expiration and timeout enforcement to function as intended in distributed environments. |
SI-14 | Non-persistence | SI | When the non-persistent artifact is a session or connection, mandatory termination implements the missing expiration that CWE-613 describes. |
SI-21 | Information Refresh | SI | Timed refresh of session-related information or on-demand generation plus deletion implements proper session expiration. |
IA-11 | Re-authentication | IA | Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions. |
MA-4 | Nonlocal Maintenance | MA | Terminating sessions and network connections upon completion prevents insufficient session expiration. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2016-5069 | 7.0 | 9.8 | 0.0134 | 2017-04-10 |
CVE-2015-5171 | 7.0 | 9.8 | 0.0117 | 2017-10-24 |
CVE-2016-6545 | 7.0 | 9.8 | 0.0306 | 2018-07-13 |
CVE-2018-6634 | 7.0 | 9.8 | 0.0146 | 2019-05-07 |
CVE-2018-21018 | 7.0 | 9.8 | 0.0256 | 2019-09-22 |
CVE-2016-11014 | 7.0 | 9.8 | 0.0254 | 2019-10-16 |
CVE-2019-8149 | 7.0 | 9.8 | 0.0214 | 2019-11-06 |
CVE-2014-2595 | 7.0 | 9.8 | 0.1687 | 2020-02-12 |
CVE-2020-17474 | 7.0 | 9.8 | 0.0118 | 2020-08-14 |
CVE-2020-8234 | 7.0 | 9.8 | 0.0341 | 2020-08-21 |
CVE-2020-27739 | 7.0 | 9.8 | 0.0181 | 2020-10-28 |
CVE-2020-27422 | 7.0 | 9.8 | 0.0776 | 2020-11-16 |
CVE-2020-29667 | 7.0 | 9.8 | 0.0319 | 2020-12-10 |
CVE-2021-3311 | 7.0 | 9.8 | 0.0290 | 2021-02-05 |
CVE-2020-6649 | 7.0 | 9.8 | 0.0152 | 2021-02-08 |
CVE-2021-3144 | 7.0 | 9.1 | 0.0520 | 2021-02-27 |
CVE-2020-35358 | 7.0 | 9.8 | 0.0243 | 2021-03-15 |
CVE-2021-37333 | 7.0 | 9.8 | 0.0143 | 2021-10-04 |
CVE-2021-38823 | 7.0 | 9.8 | 0.0146 | 2021-10-04 |
CVE-2021-40849 | 7.0 | 9.8 | 0.0131 | 2021-11-03 |
CVE-2021-25979 | 7.0 | 9.8 | 0.0110 | 2021-11-08 |
CVE-2020-27416 | 7.0 | 9.8 | 0.0159 | 2021-12-08 |
CVE-2021-25981 | 7.0 | 9.8 | 0.0246 | 2022-01-03 |
CVE-2021-22820 | 7.0 | 9.8 | 0.0108 | 2022-01-28 |
CVE-2021-25992 | 7.0 | 9.8 | 0.0157 | 2022-02-10 |