CWE-299: Improper Check for Certificate Revocation
The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
Last updated
Overview
An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.
Real-world CVEs
10 recorded CVEs are caused by CWE-299 (Improper Check for Certificate Revocation). The highest-severity and most recent are shown first. 3 new CWE-299 CVEs have been recorded so far in 2026 (4 in 2025).
- CVE-2025-3085
MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked
Critical · CVSS 9.8 · EPSS 18th2025-04-01 - CVE-2026-4428
CRL Distribution Point Scope Check Logic Error in AWS-LC
Critical · CVSS 9.1 · EPSS 17th2026-03-19 - CVE-2020-1675High · CVSS 8.3 · EPSS 44th2020-10-16
- CVE-2026-9636
Rockwell Automation CompactLogix® 5380 ControlLogix® 5580 / 1756-EN4 Communications Module – Certificate Revocation List Vulnerability
High · CVSS 8.2 · EPSS 4th2026-07-14 - CVE-2025-11955
Incorrect validation of OCSP certificates in TheGreenBow VPN Client Windows Enterprise
High · CVSS 8.2 · EPSS 17th2025-10-27 - CVE-2023-23690High · CVSS 7.0 · EPSS 16th2023-01-19
- CVE-2020-16228Medium · CVSS 6.4 · EPSS 29th2020-09-11
- CVE-2026-6899
Improper Check for Certificate Revocation in S2OPC
Medium · CVSS 5.6 · EPSS 1th2026-06-09 - CVE-2025-36057
IBM Cognos Analytics Mobile (iOS) authentication bypass
Medium · CVSS 5.2 · EPSS 8th2025-07-21 - CVE-2024-56138Medium · CVSS 4.0 · EPSS 3th2025-01-13
Common consequences
What can happen when CWE-299 is exploited.
Gain Privileges or Assume Identity
Affects: Access Control
Trust may be assigned to an entity who is not who it claims to be.
Other
Affects: Integrity, Other
Data from an untrusted (and possibly malicious) source may be integrated.
Read Application Data
Affects: Confidentiality
Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-299, grouped by where in the lifecycle they apply.
Ensure that certificates are checked for revoked status.
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following OpenSSL code ensures that there is a certificate before continuing execution.
Vulnerable example
if (cert = SSL_get_peer_certificate(ssl)) {Because this code does not use SSL_get_verify_results() to check the certificate, it could accept certificates that have been revoked (X509_V_ERR_CERT_REVOKED). The product could be communicating with a malicious host.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2011-2014 — LDAP-over-SSL implementation does not check Certificate Revocation List (CRL), allowing spoofing using a revoked certificate.
- CVE-2011-0199 — Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.
- CVE-2010-5185 — Antivirus product does not check whether certificates from signed executables have been revoked.
- CVE-2009-3046 — Web browser does not check if any intermediate certificates are revoked.
- CVE-2009-0161 — chain: Ruby module for OCSP misinterprets a response, preventing detection of a revoked certificate.
- CVE-2011-2701 — chain: incorrect parsing of replies from OCSP responders allows bypass using a revoked certificate.
- CVE-2011-0935 — Router can permanently cache certain public keys, which would allow bypass if the certificate is later revoked.
- CVE-2009-1358 — chain: OS package manager does not properly check the return value, allowing bypass using a revoked certificate.
- CVE-2009-0642 — chain: language interpreter does not properly check the return value from an OSCP function, allowing bypass using a revoked certificate.
- CVE-2008-4679 — chain: web service component does not call the expected method, which prevents a check for revoked certificates.
- CVE-2006-4410 — Certificate revocation list not searched for certain certificates.
- CVE-2006-4409 — Product cannot access certificate revocation list when an HTTP proxy is being used.
Terminology & mappings
Mapped taxonomies
- CLASP: Failure to check for certificate revocation
Frequently asked questions
Common questions about CWE-299.
- What is CWE-299?
- The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
- What CVEs are caused by CWE-299?
- 10 recorded CVEs are attributed to CWE-299, including CVE-2025-3085, CVE-2026-4428, CVE-2020-1675.
- How do you prevent CWE-299?
- Ensure that certificates are checked for revoked status.
- How is CWE-299 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-299?
- Exploiting CWE-299 can lead to: Gain Privileges or Assume Identity, Other, Read Application Data.
- Is CWE-299 actively exploited?
- 10 recorded CVEs are caused by CWE-299; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-299) (opens in a new tab)
- CWE-299 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-299
Get alerted the moment a new CWE-299 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.