Cyber Resilience

CWE · MITRE source

CWE-703Improper Check or Handling of Exceptional Conditions

Abstraction: Pillar · CVEs in our corpus: 150

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 7 mapping(s) from 2 framework(s): ATT&CK 6 (mostly) · OWASP-Web 1 (full)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A10:2025 Mishandling of Exceptional Conditions.

NIST 800-53 r5 controls that address this weakness (17)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
CP-12Safe ModeCPProvides a defined response to detected conditions by restricting operation, ensuring exceptional conditions are handled rather than ignored or mishandled.
CP-3Contingency TrainingCPContingency training equips users with defined procedures to check and respond to exceptional conditions during disruptions, reducing exploitation of mishandled errors.
CP-4Contingency Plan TestingCPTesting verifies the system's ability to detect, handle, and recover from exceptional conditions as part of the plan, reducing exploitability of improper exception handling.
IR-1Policy and ProceduresIRPolicy defines checks and handling for exceptional conditions arising from security incidents.
IR-3Incident Response TestingIRPerforming IR tests ensures exceptional conditions are properly checked and handled to enable effective response.
IR-4Incident HandlingIRIncident handling capability directly provides structured checking and response actions for security incidents as exceptional conditions.
SA-11Developer Testing and EvaluationSATesting and evaluation exercises error paths and exceptional conditions, surfacing improper handling that is then remediated through the defined process.
SA-15Development Process, Standards, and ToolsSAStandards and tools mandated by the process include proper handling of exceptional conditions that would otherwise be omitted.
SA-24Design For Cyber ResiliencySACyber resiliency objectives explicitly include graceful handling of adverse conditions and exceptional states, reducing improper exception handling.
SI-13Predictable Failure PreventionSIRequires systematic prediction and handling of failure conditions, reducing the impact of unhandled exceptional states.
SI-17Fail-safe ProceduresSIRequires explicit, safe handling actions for specified exceptional conditions rather than allowing unchecked propagation or default unsafe behavior.
SI-6Security and Privacy Function VerificationSIThe required verification process supplies the missing checks for exceptional conditions affecting security functions.
AU-5Response to Audit Logging Process FailuresAUImplements explicit check and handling for the exceptional condition of audit logging process failure.
CA-7Continuous MonitoringCAEstablishing and monitoring system metrics with correlation and response actions helps identify and address improper handling of exceptional conditions.
SC-24Fail in Known StateSCMandates explicit, predictable handling of exceptional conditions rather than undefined continuation.
Show 2 more broadly-applicable controls
CP-5Contingency Plan UpdateCPRegular updates keep contingency procedures aligned with system changes, providing structured handling for exceptional conditions that would otherwise allow unmitigated exploitation.
IR-7Incident Response AssistanceIRSupplies advice and assistance on handling incidents, improving checks and responses to exceptional conditions.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2021-25370 KEV10.06.10.00892021-03-26
CVE-2021-25372 KEV10.06.10.00852021-03-26
CVE-2022-22265 KEV10.05.00.00392022-01-10
CVE-2021-238597.09.10.00972021-12-08
CVE-2023-03977.09.60.00472023-01-19
CVE-2021-33297.09.60.00622023-02-26
CVE-2023-459277.09.10.00842024-03-27
CVE-2024-21894 UPD7.09.80.18992024-04-04
CVE-2024-398157.09.10.00772024-08-12
CVE-2025-130217.09.80.00322025-11-11
CVE-2025-130227.09.80.00322025-11-11
CVE-2025-130237.09.80.00322025-11-11
CVE-2025-130267.09.80.00322025-11-11
CVE-2018-54635.57.80.00432018-04-09
CVE-2017-160145.57.50.01692018-06-04
CVE-2018-125515.58.10.01472019-03-27
CVE-2019-50315.58.80.06042019-10-02
CVE-2020-16395.57.50.01092020-04-08
CVE-2020-16445.57.50.01282020-07-17
CVE-2020-20755.57.50.01432020-08-31
CVE-2021-02405.57.40.00402021-04-22
CVE-2021-02415.57.40.00402021-04-22
CVE-2021-02865.57.50.01062021-07-15
CVE-2022-00165.57.40.00212022-02-10
CVE-2022-252525.57.50.01512022-03-16