Cyber Resilience

CWE · MITRE source

CWE-613Insufficient Session Expiration

Abstraction: Base · CVEs in our corpus: 549

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 5 mapping(s) from 2 framework(s): ATT&CK 4 (partial) · OWASP-Web 1 (full)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A07:2025 Authentication Failures.

NIST 800-53 r5 controls that address this weakness (8)AI

Control Title Family Why it addresses this CWE
AC-11Device LockACLocks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access.
AC-12Session TerminationACAutomatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit.
SC-10Network DisconnectSCDirectly enforces termination of network sessions after inactivity or end-of-session, preventing indefinite session lifetime.
SC-45System Time SynchronizationSCConsistent clocks across systems allow session expiration and timeout enforcement to function as intended in distributed environments.
SI-14Non-persistenceSIWhen the non-persistent artifact is a session or connection, mandatory termination implements the missing expiration that CWE-613 describes.
SI-21Information RefreshSITimed refresh of session-related information or on-demand generation plus deletion implements proper session expiration.
IA-11Re-authenticationIARe-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions.
MA-4Nonlocal MaintenanceMATerminating sessions and network connections upon completion prevents insufficient session expiration.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2016-50697.09.80.01342017-04-10
CVE-2015-51717.09.80.01172017-10-24
CVE-2016-65457.09.80.03062018-07-13
CVE-2018-66347.09.80.01462019-05-07
CVE-2018-210187.09.80.02562019-09-22
CVE-2016-110147.09.80.02542019-10-16
CVE-2019-81497.09.80.02142019-11-06
CVE-2014-25957.09.80.16872020-02-12
CVE-2020-174747.09.80.01182020-08-14
CVE-2020-82347.09.80.03412020-08-21
CVE-2020-277397.09.80.01812020-10-28
CVE-2020-274227.09.80.07762020-11-16
CVE-2020-296677.09.80.03192020-12-10
CVE-2021-33117.09.80.02902021-02-05
CVE-2020-66497.09.80.01522021-02-08
CVE-2021-31447.09.10.05202021-02-27
CVE-2020-353587.09.80.02432021-03-15
CVE-2021-373337.09.80.01432021-10-04
CVE-2021-388237.09.80.01462021-10-04
CVE-2021-408497.09.80.01312021-11-03
CVE-2021-259797.09.80.01102021-11-08
CVE-2020-274167.09.80.01592021-12-08
CVE-2021-259817.09.80.02462022-01-03
CVE-2021-228207.09.80.01082022-01-28
CVE-2021-259927.09.80.01572022-02-10