Base weakness

Incomplete

CWE-294: Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Last updated May 1, 2026

139

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.

Real-world CVEs

139 recorded CVEs are caused by CWE-294 (Authentication Bypass by Capture-replay). The highest-severity and most recent are shown first. 22 new CWE-294 CVEs have been recorded so far in 2026 (23 in 2025).

CVE-2025-65552

Critical · CVSS 9.8 · EPSS 32th

2026-01-12

CVE-2024-38438

Critical · CVSS 9.8 · EPSS 47th

2024-07-21

CVE-2023-47435

Critical · CVSS 9.8 · EPSS 45th

2024-04-19

CVE-2023-49231

Critical · CVSS 9.8 · EPSS 99th

2024-03-29

CVE-2023-30909

Critical · CVSS 9.8 · EPSS 60th

2023-09-14

CVE-2022-44457

Critical · CVSS 9.8 · EPSS 48th

2022-11-08

CVE-2018-7790

Critical · CVSS 9.8 · EPSS 82th

2018-08-29

CVE-2017-6034

Schneider Electric Modicon Modbus Protocol Authentication Bypass by Capture-replay

Critical · CVSS 9.8 · EPSS 91th

2017-06-30

CVE-2026-30789

RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks

Critical · CVSS 9.3 · EPSS 33th

2026-03-05

Showing 12 of 139 recorded CWE-294 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-294 vulnerabilities

Common consequences

What can happen when CWE-294 is exploited.

Gain Privileges or Assume Identity

Affects: Access Control

Messages sent with a capture-relay attack allow access to resources which are not otherwise accessible without proper authentication.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

How to prevent it

Practical mitigations for CWE-294, grouped by where in the lifecycle they apply.

Architecture and Design

Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.

Architecture and Design

Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2005-3435 — product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
CVE-2007-4961 — Chain: cleartext transmission of the MD5 hash of password (CWE-319) enables attacks against a server that is susceptible to replay (CWE-294).

Terminology & mappings

Mapped taxonomies

PLOVER: Authentication bypass by replay
CLASP: Capture-replay

Attack patterns

CAPEC attack patterns that exploit this weakness.

Frequently asked questions

Common questions about CWE-294.

What is CWE-294?

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

What CVEs are caused by CWE-294?

139 recorded CVEs are attributed to CWE-294, including CVE-2025-49752, CVE-2026-32987, CVE-2025-67135.

How do you prevent CWE-294?

Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.

What are the consequences of CWE-294?

Exploiting CWE-294 can lead to: Gain Privileges or Assume Identity.

Is CWE-294 actively exploited?

139 recorded CVEs are caused by CWE-294; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-294

Get alerted the moment a new CWE-294 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-294?

What CVEs are caused by CWE-294?

How do you prevent CWE-294?

What are the consequences of CWE-294?

Is CWE-294 actively exploited?

References

Stay ahead of CWE-294