CWE · MITRE source
CWE-755Improper Handling of Exceptional Conditions
The product does not handle or incorrectly handles an exceptional condition.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 3 mapping(s) from 2 framework(s): ATT&CK 2 (partial) · OWASP-Web 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A10:2025 Mishandling of Exceptional Conditions.
NIST 800-53 r5 controls that address this weakness (10)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CP-12 | Safe Mode | CP | Supplies a concrete handling action (safe mode) for exceptional conditions, mitigating risks from improper or absent handling that could allow continued attacks. |
CP-3 | Contingency Training | CP | By preparing users for contingency scenarios, the control promotes proper handling of exceptional conditions instead of default or unsafe behaviors. |
CP-5 | Contingency Plan Update | CP | An updated contingency plan defines current actions for exceptional conditions, reducing the window for attackers to exploit improper handling leading to system failure. |
IR-1 | Policy and Procedures | IR | Procedures ensure proper handling of exceptional conditions to support effective incident response. |
IR-3 | Incident Response Testing | IR | Incident response testing confirms proper handling of exceptional conditions to limit exploit impact. |
IR-7 | Incident Response Assistance | IR | Gives users guidance on incident handling, reducing improper handling of exceptional conditions that could stem from exploited weaknesses. |
SI-13 | Predictable Failure Prevention | SI | Prepared component exchange provides a defined recovery path, making improper handling of failures less exploitable. |
SI-17 | Fail-safe Procedures | SI | Mandates defined procedures that ensure exceptional conditions are handled in a controlled, secure manner instead of being ignored or mishandled. |
AU-5 | Response to Audit Logging Process Failures | AU | Provides defined handling (alert and additional actions) for the exceptional condition of audit logging failure. |
SC-24 | Fail in Known State | SC | Enforces structured response to exceptional conditions so the system cannot remain in an unsafe state. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-5638 KEV | 10.0 | 9.8 | 1.0000 | 2017-03-11 |
CVE-2018-0155 KEV | 10.0 | 8.6 | 0.0775 | 2018-03-28 |
CVE-2020-7247 KEV | 10.0 | 9.8 | 0.9895 | 2020-01-29 |
CVE-2021-38003 KEV | 10.0 | 8.8 | 0.3624 | 2021-11-23 |
CVE-2024-29748 KEV UPD | 10.0 | 7.8 | 0.0068 | 2024-04-05 |
CVE-2018-0934 | 8.0 | 7.5 | 0.6647 | 2018-03-14 |
CVE-2019-12815 | 8.0 | 9.8 | 0.5761 | 2019-07-19 |
CVE-2019-14287 | 8.0 | 8.8 | 0.6392 | 2019-10-17 |
CVE-2021-28165 | 8.0 | 7.5 | 0.5386 | 2021-04-01 |
CVE-2023-36933 | 8.0 | 7.5 | 0.7224 | 2023-07-05 |
CVE-2017-2877 | 7.0 | 9.8 | 0.0190 | 2018-09-19 |
CVE-2018-19991 | 7.0 | 9.8 | 0.0233 | 2018-12-10 |
CVE-2019-6256 | 7.0 | 9.8 | 0.0241 | 2019-01-14 |
CVE-2019-14431 | 7.0 | 9.8 | 0.0363 | 2019-07-29 |
CVE-2019-17195 | 7.0 | 9.8 | 0.1103 | 2019-10-15 |
CVE-2009-5043 | 7.0 | 9.8 | 0.0123 | 2019-10-31 |
CVE-2020-11012 | 7.0 | 9.3 | 0.0210 | 2020-04-23 |
CVE-2020-24753 | 7.0 | 9.8 | 0.0264 | 2020-09-17 |
CVE-2020-13859 | 7.0 | 9.8 | 0.0118 | 2021-02-01 |
CVE-2021-36128 | 7.0 | 9.8 | 0.0150 | 2021-07-02 |
CVE-2021-38384 | 7.0 | 9.8 | 0.0146 | 2021-08-10 |
CVE-2021-43272 | 7.0 | 9.8 | 0.0352 | 2021-11-14 |
CVE-2021-40391 | 7.0 | 9.8 | 0.0292 | 2021-11-19 |
CVE-2021-23859 | 7.0 | 9.1 | 0.0097 | 2021-12-08 |
CVE-2022-31799 | 7.0 | 9.8 | 0.0187 | 2022-06-02 |