NIST 800-53 r5 · Controls catalogue · Family RA
RA-5Vulnerability Monitoring and Scanning
Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported; Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact; Analyze vulnerability scan reports and results from vulnerability monitoring; Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk; Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (107)
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1046 Network Service Discovery Discovery
- T1047 Windows Management Instrumentation Execution
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.005 Visual Basic Execution
- T1059.007 JavaScript Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1091 Replication Through Removable Media Lateral Movement, Initial Access
- T1092 Communication Through Removable Media Command And Control
- T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
- T1127 Trusted Developer Utilities Proxy Execution Stealth, Execution
- T1127.001 MSBuild Stealth, Execution
- T1127.002 ClickOnce Stealth, Execution
- T1133 External Remote Services Persistence, Initial Access
- T1137 Office Application Startup Persistence
- T1137.001 Office Template Macros Persistence
- T1176 Software Extensions Persistence
- T1190 Exploit Public-Facing Application Initial Access
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1204.003 Malicious Image Execution
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.003 Code Repositories Collection
- T1213.005 Messaging Applications Collection
- T1218 System Binary Proxy Execution Stealth
- T1218.003 CMSTP Stealth
- T1218.004 InstallUtil Stealth
- T1218.005 Mshta Stealth
- T1218.008 Odbcconf Stealth
- T1218.009 Regsvcs/Regasm Stealth
- T1218.012 Verclsid Stealth
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,905 | Scans identify improper access control implementations and missing protections on system resources. |
CWE-306 | Missing Authentication for Critical Function | 2,600 | Tools routinely check for missing authentication on critical functions and exposed interfaces. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Permission and ACL misconfigurations on critical resources are standard findings in automated scans. |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | 739 | Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Monitoring detects missing encryption of sensitive data in storage or transit configurations. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 309 | Scans detect resources initialized with insecure defaults that create exploitable conditions. |
CWE-521 | Weak Password Requirements | 303 | Vulnerability scans assess password policies and weak credential requirements against benchmarks. |
CWE-15 | External Control of System or Configuration Setting | 60 | Vulnerability scanners directly detect externally controllable or misconfigured settings using standardized checklists. |
CWE-1104 | Use of Unmaintained Third Party Components | 20 | Regular scanning with updatable vulnerability feeds directly identifies unmaintained third-party components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-2746 KEV | 9.3 | 9.8 | 0.8973 | good |
CVE-2025-37164 KEV | 8.5 | 10.0 | 0.7528 | good |
CVE-2025-9242 KEV | 8.4 | 9.8 | 0.7349 | partial |
CVE-2025-27363 KEV UPD | 7.8 | 8.1 | 0.7034 | good |
CVE-2025-71243 | 7.1 | 9.8 | 0.8541 | partial |
CVE-2025-26399 KEV | 5.6 | 9.8 | 0.2675 | good |
CVE-2026-2441 KEV | 5.1 | 8.8 | 0.2313 | partial |
CVE-2025-53521 KEV | 4.4 | 9.8 | 0.0745 | good |
CVE-2025-10585 KEV | 4.0 | 9.8 | 0.0070 | partial |
CVE-2025-21042 KEV | 4.0 | 8.8 | 0.0330 | partial |
CVE-2026-3910 KEV | 3.8 | 8.8 | 0.0094 | good |
CVE-2026-31431 KEV UPD | 3.7 | 7.8 | 0.0257 | partial |
CVE-2025-21391 KEV | 3.7 | 7.1 | 0.0472 | partial |
CVE-2025-24985 KEV | 3.7 | 7.8 | 0.0223 | good |
CVE-2025-48384 KEV | 3.6 | 8.0 | 0.0060 | partial |
CVE-2025-38352 KEV | 3.5 | 7.4 | 0.0014 | partial |
CVE-2025-24991 KEV | 3.2 | 5.5 | 0.0156 | good |
CVE-2024-10442 | 2.9 | 10.0 | 0.1459 | partial |
CVE-2025-0291 | 2.5 | 8.8 | 0.1209 | good |
CVE-2025-47917 | 2.3 | 8.9 | 0.0843 | good |
CVE-2025-27678 | 2.2 | 9.8 | 0.0464 | good |
CVE-2026-21536 | 2.1 | 9.8 | 0.0170 | good |
CVE-2026-21876 | 2.1 | 9.3 | 0.0359 | partial |
CVE-2026-33942 | 2.0 | 9.8 | 0.0022 | good |
CVE-2026-32304 | 2.0 | 9.8 | 0.0016 | good |