CWE-523: Unprotected Transport of Credentials
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Last updated
Overview
CWE-523 (Unprotected Transport of Credentials) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents.
Real-world CVEs
21 recorded CVEs are caused by CWE-523 (Unprotected Transport of Credentials). The highest-severity and most recent are shown first. 4 new CWE-523 CVEs have been recorded so far in 2026 (7 in 2025).
- CVE-2020-25175Critical · CVSS 9.8 · EPSS 63th2020-12-14
- CVE-2026-8673
Password re-initialization mechanism sends passwords in plain text
Critical · CVSS 9.1 · EPSS 9th2026-05-22 - CVE-2025-57800
Audiobookshelf vulnerable to OIDC token exfiltration and account takeover
High · CVSS 8.8 · EPSS 35th2025-08-22 - CVE-2017-16731High · CVSS 8.8 · EPSS 50th2017-12-20
- CVE-2021-32003High · CVSS 8.0 · EPSS 14th2021-08-05
- CVE-2025-66029
Open OnDemand affected by Apache proxy passing sensitive headers
High · CVSS 7.6 · EPSS 7th2025-12-17 - CVE-2024-1509
Brocade ASCG 3.2.0 web interface does not enforce HSTS, as defined by RFC 6797 for ports 8030 and 8100
High · CVSS 7.6 · EPSS 26th2025-02-28 - CVE-2025-61121High · CVSS 7.5 · EPSS 19th2025-10-30
- CVE-2023-31277High · CVSS 7.5 · EPSS 43th2023-07-06
- CVE-2023-22862High · CVSS 7.5 · EPSS 42th2023-06-04
- CVE-2022-31805High · CVSS 7.5 · EPSS 58th2022-06-24
- CVE-2021-38460
Moxa MXview Network Management Software
High · CVSS 7.5 · EPSS 75th2021-10-12
Showing 12 of 21 recorded CWE-523 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-523 vulnerabilitiesCommon consequences
What can happen when CWE-523 is exploited.
Gain Privileges or Assume Identity
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-523, grouped by where in the lifecycle they apply.
Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user can be certain they are talking to the proper end system. A phishing attack would typically redirect a user to a site that does not have a valid trusted server certificate issued from an authorized supplier.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Terminology & mappings
Mapped taxonomies
- Software Fault Patterns: Exposed Data (SFP23)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-523.
- What is CWE-523?
- Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
- What CVEs are caused by CWE-523?
- 21 recorded CVEs are attributed to CWE-523, including CVE-2020-25175, CVE-2026-8673, CVE-2025-57800.
- How do you prevent CWE-523?
- Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user can be certain they are talking to the proper end system. A phishing attack would typically redirect a user to a site that does not have a valid trusted server certificate issued from an authorized supplier.
- How is CWE-523 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-523?
- Exploiting CWE-523 can lead to: Gain Privileges or Assume Identity.
- Is CWE-523 actively exploited?
- 21 recorded CVEs are caused by CWE-523; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-523) (opens in a new tab)
- CWE-523 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-523
Get alerted the moment a new CWE-523 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.