CWE · MITRE source
CWE-923Improper Restriction of Communication Channel to Intended Endpoints
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint. While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 18 mapping(s) from 6 framework(s): ATT&CK 6 (full) · CAPEC 4 (partial) · ASVS 5.0 3 (mostly) · STIG oracle linux 8 2 (mostly) · STIG rhel 8 2 (mostly) · STIG rhel 7 1 (partial)
NIST 800-53 r5 controls that address this weakness (12)AI
Showing the 7 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-11 | Trusted Path | SC | Mandates restriction of the channel for authentication to only the intended trusted endpoints, blocking unauthorized communication paths. |
SC-19 | Voice Over Internet Protocol | SC | Explicit control of VoIP traffic forces organizations to restrict communication channels to only intended endpoints and protocols. |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | SC | Explicit internal/external separation restricts name-resolution channels to their intended communication endpoints. |
AC-18 | Wireless Access | AC | Authorizing wireless access restricts the wireless communication channel to only intended endpoints. |
CA-3 | Information Exchange | CA | Approving specific exchanges and documenting interface characteristics restricts communication channels to only intended endpoints and systems. |
PE-4 | Access Control for Transmission | PE | Limits physical connectivity to transmission channels, supporting restriction of communication paths to only intended endpoints. |
SA-9 | External System Services | SA | Requiring providers to meet communication-channel restrictions and monitoring adherence reduces improper restriction of channels to intended endpoints. |
Show 5 more broadly-applicable controls
SC-40 | Wireless Link Protection | SC | Enforces that the wireless communication channel is usable only by intended endpoints, addressing improper channel restriction. |
SC-41 | Port and I/O Device Access | SC | Restricts communication channels to only intended endpoints by eliminating unnecessary ports and devices. |
SC-46 | Cross Domain Policy Enforcement | SC | Policy enforcement restricts communication channels to only the intended endpoints and protocols between security domains. |
SC-47 | Alternate Communications Paths | SC | Dedicated alternate paths enable explicit restriction of C2 traffic to intended endpoints rather than relying on a single unrestricted channel. |
SC-7 | Boundary Protection | SC | The control explicitly requires that all external connections use managed boundary devices that restrict channels to intended endpoints. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-3891 | 7.0 | 9.6 | 0.0128 | 2017-11-14 |
CVE-2019-17440 | 7.0 | 10.0 | 0.0168 | 2019-12-20 |
CVE-2023-28078 | 7.0 | 9.1 | 0.0068 | 2024-02-15 |
CVE-2024-41889 | 7.0 | 9.8 | 0.0064 | 2024-08-05 |
CVE-2025-46566 UPD | 7.0 | 9.8 | 0.0059 | 2025-05-01 |
CVE-2026-34205 | 7.0 | 9.6 | 0.0026 | 2026-03-27 |
CVE-2018-10596 | 5.5 | 7.1 | 0.0132 | 2018-07-03 |
CVE-2021-38487 | 5.5 | 8.2 | 0.0333 | 2022-05-05 |
CVE-2023-28971 | 5.5 | 7.2 | 0.0038 | 2023-04-17 |
CVE-2023-25518 | 5.5 | 7.1 | 0.0027 | 2023-06-23 |
CVE-2024-26131 UPD | 5.5 | 8.4 | 0.0047 | 2024-02-29 |
CVE-2024-34446 | 5.5 | 7.5 | 0.0060 | 2024-05-03 |
CVE-2024-24974 | 5.5 | 7.5 | 0.0976 | 2024-07-08 |
CVE-2024-6222 | 5.5 | 7.0 | 0.0056 | 2024-07-09 |
CVE-2024-47125 | 5.5 | 8.1 | 0.0014 | 2024-09-26 |
CVE-2024-47490 | 5.5 | 8.2 | 0.0056 | 2024-10-11 |
CVE-2025-29986 | 5.5 | 8.3 | 0.0026 | 2025-04-08 |
CVE-2024-26013 | 5.5 | 7.5 | 0.0046 | 2025-04-08 |
CVE-2025-23178 UPD | 5.5 | 7.6 | 0.0022 | 2025-04-29 |
CVE-2025-48999 UPD | 5.5 | 8.8 | 0.0628 | 2025-06-03 |
CVE-2025-20261 UPD | 5.5 | 8.8 | 0.0039 | 2025-06-04 |
CVE-2025-35978 UPD | 5.5 | 7.1 | 0.0011 | 2025-06-12 |
CVE-2025-49734 | 5.5 | 7.0 | 0.0030 | 2025-09-09 |
CVE-2025-61939 | 5.5 | 8.8 | 0.0024 | 2026-01-07 |
CVE-2026-23664 | 5.5 | 7.5 | 0.0100 | 2026-03-10 |