Home/CWE/Protection Mechanism Failure
Weakness

Protection Mechanism Failure

CWE-693 · Pillar · Draft

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Extended description

This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended.

Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Children (more specific)
ParentOfCWE-1039 · Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
ParentOfCWE-1248 · Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
ParentOfCWE-1253 · Incorrect Selection of Fuse Values
ParentOfCWE-1269 · Product Released in Non-Release Configuration
ParentOfCWE-1278 · Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
ParentOfCWE-1291 · Public Key Re-Use for Signing both Debug and Production Code
ParentOfCWE-1318 · Missing Support for Security Features in On-chip Fabrics or Buses
ParentOfCWE-1319 · Improper Protection against Electromagnetic Fault Injection (EM-FI)
ParentOfCWE-1326 · Missing Immutable Root of Trust in Hardware
ParentOfCWE-1338 · Improper Protections Against Hardware Overheating
ParentOfCWE-184 · Incomplete List of Disallowed Inputs
ParentOfCWE-311 · Missing Encryption of Sensitive Data
ParentOfCWE-326 · Inadequate Encryption Strength
ParentOfCWE-327 · Use of a Broken or Risky Cryptographic Algorithm
ParentOfCWE-330 · Use of Insufficiently Random Values
ParentOfCWE-345 · Insufficient Verification of Data Authenticity
ParentOfCWE-357 · Insufficient UI Warning of Dangerous Operations
ParentOfCWE-358 · Improperly Implemented Security Check for Standard
ParentOfCWE-424 · Improper Protection of Alternate Path
ParentOfCWE-602 · Client-Side Enforcement of Server-Side Security
ParentOfCWE-653 · Improper Isolation or Compartmentalization
ParentOfCWE-654 · Reliance on a Single Factor in a Security Decision
ParentOfCWE-655 · Insufficient Psychological Acceptability
ParentOfCWE-656 · Reliance on Security Through Obscurity
ParentOfCWE-757 · Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
ParentOfCWE-807 · Reliance on Untrusted Inputs in a Security Decision

Attack Patterns (CAPEC)

17
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-1Accessing Functionality Not Properly Constrained by ACLs
CAPEC-107Cross Site Tracing
CAPEC-127Directory Indexing
CAPEC-17Using Malicious Files
CAPEC-20Encryption Brute Forcing
CAPEC-22Exploiting Trust in Client
CAPEC-237Escaping a Sandbox by Calling Code in Another Language
CAPEC-36Using Unpublished Interfaces or Functionality
CAPEC-477Signature Spoofing by Mixing Signed and Unsigned Content
CAPEC-480Escaping Virtualization
CAPEC-51Poison Web Service Registry
CAPEC-57Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
CAPEC-59Session Credential Falsification through Prediction
CAPEC-65Sniff Application Code
CAPEC-668Key Negotiation of Bluetooth Attack (KNOB)
CAPEC-74Manipulating State
CAPEC-87Forceful Browsing

CVEs With This Weakness

499
A sample of the 499 CVEs tagged with this weakness.
CVECVE-2026-8585
CVECVE-2026-8583
CVECVE-2026-8572
CVECVE-2026-8571
CVECVE-2026-8568
CVECVE-2026-8563
CVECVE-2026-8401
CVECVE-2026-8018
CVECVE-2026-8014
CVECVE-2026-8011
CVECVE-2026-8009
CVECVE-2026-8004

Nuclei Scanner Templates

2
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
highSolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
infoMissing Cookie SameSite Strict
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin