Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-18Mobile Code

Define acceptable and unacceptable mobile code and mobile code technologies; and Authorize, monitor, and control the use of mobile code within the system.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 1 mapping(s) from 1 framework(s): ASVS 5.0 1 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (38)

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-829Inclusion of Functionality from Untrusted Control Sphere298Defining acceptable mobile code technologies and authorizing their use prevents inclusion of functionality from untrusted control spheres.
CWE-494Download of Code Without Integrity Check252Authorizing and controlling mobile code requires verifying origin and integrity before download/execution, directly preventing this weakness.
CWE-913Improper Control of Dynamically-Managed Code Resources115Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.
CWE-506Embedded Malicious Code85Monitoring mobile code usage enables detection of embedded malicious code delivered through allowed mobile code channels.
CWE-830Inclusion of Web Functionality from an Untrusted Source12Restricting mobile code technologies and monitoring their use blocks web functionality (e.g., scripts) loaded from untrusted sources.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2015-5123 KEV10.09.80.1849good
CVE-2015-5119 KEV10.09.80.9934good
CVE-2014-6332 KEV10.08.80.9500good
CVE-2012-4681 KEV10.09.80.9854good
CVE-2012-1856 KEV10.08.80.7212good
CVE-2012-0767 KEV10.06.10.0666good
CVE-2012-0507 KEV10.09.80.9824good
CVE-2012-0158 KEV10.08.80.9997good
CVE-2026-309577.09.90.0115good
CVE-2026-308877.09.90.0039good
CVE-2026-256417.010.00.0049good
CVE-2023-273636.07.80.4699good
CVE-2022-214496.07.50.4668good
CVE-2026-399115.58.80.0054good
CVE-2026-401565.57.80.0021good
CVE-2025-30749 UPD5.58.10.0106good
CVE-2026-21932 UPD5.57.40.0043good
CVE-2022-359785.57.70.0220good
CVE-2025-6554 KEV UPD10.08.10.0656partial
CVE-2025-30397 KEV UPD10.07.50.2156partial
CVE-2024-7971 KEV10.09.60.1927good
CVE-2024-4947 KEV10.09.60.1511partial
CVE-2024-38213 KEV10.06.50.1337good
CVE-2024-30040 KEV10.08.80.0394partial
CVE-2023-2033 KEV10.08.80.4080partial

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9