CWE · MITRE source
CWE-703Improper Check or Handling of Exceptional Conditions
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 7 mapping(s) from 2 framework(s): ATT&CK 6 (mostly) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A10:2025 Mishandling of Exceptional Conditions.
NIST 800-53 r5 controls that address this weakness (17)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CP-12 | Safe Mode | CP | Provides a defined response to detected conditions by restricting operation, ensuring exceptional conditions are handled rather than ignored or mishandled. |
CP-3 | Contingency Training | CP | Contingency training equips users with defined procedures to check and respond to exceptional conditions during disruptions, reducing exploitation of mishandled errors. |
CP-4 | Contingency Plan Testing | CP | Testing verifies the system's ability to detect, handle, and recover from exceptional conditions as part of the plan, reducing exploitability of improper exception handling. |
IR-1 | Policy and Procedures | IR | Policy defines checks and handling for exceptional conditions arising from security incidents. |
IR-3 | Incident Response Testing | IR | Performing IR tests ensures exceptional conditions are properly checked and handled to enable effective response. |
IR-4 | Incident Handling | IR | Incident handling capability directly provides structured checking and response actions for security incidents as exceptional conditions. |
SA-11 | Developer Testing and Evaluation | SA | Testing and evaluation exercises error paths and exceptional conditions, surfacing improper handling that is then remediated through the defined process. |
SA-15 | Development Process, Standards, and Tools | SA | Standards and tools mandated by the process include proper handling of exceptional conditions that would otherwise be omitted. |
SA-24 | Design For Cyber Resiliency | SA | Cyber resiliency objectives explicitly include graceful handling of adverse conditions and exceptional states, reducing improper exception handling. |
SI-13 | Predictable Failure Prevention | SI | Requires systematic prediction and handling of failure conditions, reducing the impact of unhandled exceptional states. |
SI-17 | Fail-safe Procedures | SI | Requires explicit, safe handling actions for specified exceptional conditions rather than allowing unchecked propagation or default unsafe behavior. |
SI-6 | Security and Privacy Function Verification | SI | The required verification process supplies the missing checks for exceptional conditions affecting security functions. |
AU-5 | Response to Audit Logging Process Failures | AU | Implements explicit check and handling for the exceptional condition of audit logging process failure. |
CA-7 | Continuous Monitoring | CA | Establishing and monitoring system metrics with correlation and response actions helps identify and address improper handling of exceptional conditions. |
SC-24 | Fail in Known State | SC | Mandates explicit, predictable handling of exceptional conditions rather than undefined continuation. |
Show 2 more broadly-applicable controls
CP-5 | Contingency Plan Update | CP | Regular updates keep contingency procedures aligned with system changes, providing structured handling for exceptional conditions that would otherwise allow unmitigated exploitation. |
IR-7 | Incident Response Assistance | IR | Supplies advice and assistance on handling incidents, improving checks and responses to exceptional conditions. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-25370 KEV | 10.0 | 6.1 | 0.0089 | 2021-03-26 |
CVE-2021-25372 KEV | 10.0 | 6.1 | 0.0085 | 2021-03-26 |
CVE-2022-22265 KEV | 10.0 | 5.0 | 0.0039 | 2022-01-10 |
CVE-2021-23859 | 7.0 | 9.1 | 0.0097 | 2021-12-08 |
CVE-2023-0397 | 7.0 | 9.6 | 0.0047 | 2023-01-19 |
CVE-2021-3329 | 7.0 | 9.6 | 0.0062 | 2023-02-26 |
CVE-2023-45927 | 7.0 | 9.1 | 0.0084 | 2024-03-27 |
CVE-2024-21894 UPD | 7.0 | 9.8 | 0.1899 | 2024-04-04 |
CVE-2024-39815 | 7.0 | 9.1 | 0.0077 | 2024-08-12 |
CVE-2025-13021 | 7.0 | 9.8 | 0.0032 | 2025-11-11 |
CVE-2025-13022 | 7.0 | 9.8 | 0.0032 | 2025-11-11 |
CVE-2025-13023 | 7.0 | 9.8 | 0.0032 | 2025-11-11 |
CVE-2025-13026 | 7.0 | 9.8 | 0.0032 | 2025-11-11 |
CVE-2018-5463 | 5.5 | 7.8 | 0.0043 | 2018-04-09 |
CVE-2017-16014 | 5.5 | 7.5 | 0.0169 | 2018-06-04 |
CVE-2018-12551 | 5.5 | 8.1 | 0.0147 | 2019-03-27 |
CVE-2019-5031 | 5.5 | 8.8 | 0.0604 | 2019-10-02 |
CVE-2020-1639 | 5.5 | 7.5 | 0.0109 | 2020-04-08 |
CVE-2020-1644 | 5.5 | 7.5 | 0.0128 | 2020-07-17 |
CVE-2020-2075 | 5.5 | 7.5 | 0.0143 | 2020-08-31 |
CVE-2021-0240 | 5.5 | 7.4 | 0.0040 | 2021-04-22 |
CVE-2021-0241 | 5.5 | 7.4 | 0.0040 | 2021-04-22 |
CVE-2021-0286 | 5.5 | 7.5 | 0.0106 | 2021-07-15 |
CVE-2022-0016 | 5.5 | 7.4 | 0.0021 | 2022-02-10 |
CVE-2022-25252 | 5.5 | 7.5 | 0.0151 | 2022-03-16 |