NIST 800-53 r5 · Controls catalogue · Family SI
SI-10Information Input Validation
Check the validity of the following information inputs: {{ insert: param, si-10_odp }}.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (101)
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.005 VNC Lateral Movement
- T1027.010 Command Obfuscation Stealth
- T1036 Masquerading Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.008 Masquerade File Type Stealth
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.002 AppleScript Execution
- T1059.003 Windows Command Shell Execution
- T1059.004 Unix Shell Execution
- T1059.005 Visual Basic Execution
- T1059.006 Python Execution
- T1059.007 JavaScript Execution
- T1059.008 Network Device CLI Execution
- T1071.004 DNS Command And Control
- T1080 Taint Shared Content Lateral Movement
- T1090 Proxy Command And Control
- T1090.003 Multi-hop Proxy Command And Control
- T1095 Non-Application Layer Protocol Command And Control
- T1127 Trusted Developer Utilities Proxy Execution Stealth, Execution
- T1127.002 ClickOnce Stealth, Execution
- T1129 Shared Modules Execution
- T1176 Software Extensions Persistence
- T1187 Forced Authentication Credential Access
- T1190 Exploit Public-Facing Application Initial Access
- T1197 BITS Jobs Stealth, Persistence, Execution
- T1204 User Execution Execution
- T1204.002 Malicious File Execution
- T1216 System Script Proxy Execution Stealth
- T1216.001 PubPrn Stealth
- T1218 System Binary Proxy Execution Stealth
- T1218.001 Compiled HTML File Stealth
- T1218.002 Control Panel Stealth
- T1218.003 CMSTP Stealth
- T1218.004 InstallUtil Stealth
- T1218.005 Mshta Stealth
- T1218.008 Odbcconf Stealth
- T1218.009 Regsvcs/Regasm Stealth
- T1218.010 Regsvr32 Stealth
- T1218.011 Rundll32 Stealth
- T1218.012 Verclsid Stealth
- T1218.013 Mavinject Stealth
- T1218.014 MMC Stealth
- T1218.015 Electron Applications Stealth
- T1219 Remote Access Tools Command And Control
Weaknesses this control addresses (10)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 50,636 | Validates web inputs to reject script-related content that could produce XSS. |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 22,681 | Validates query inputs to prevent SQL syntax or command manipulation. |
CWE-20 | Improper Input Validation | 13,217 | Directly implements checks on information inputs to reject invalid data before processing. |
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 10,202 | Validates pathnames and filenames to prevent traversal outside intended directories. |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 6,908 | Validates inputs to block special elements that would alter OS command execution. |
CWE-94 | Improper Control of Generation of Code ('Code Injection') | 6,720 | Validates inputs used in dynamic code generation to block injected directives. |
CWE-502 | Deserialization of Untrusted Data | 3,170 | Validates or rejects untrusted serialized data before deserialization occurs. |
CWE-918 | Server-Side Request Forgery (SSRF) | 2,947 | Validates server-side URLs and resource references to block SSRF attempts. |
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | 1,743 | Validates redirect targets and URLs to ensure they conform to allowed destinations. |
CWE-73 | External Control of File Name or Path | 421 | Rejects externally supplied file or resource identifiers that fail validity checks. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-1316 KEV | 9.2 | 9.8 | 0.8729 | good |
CVE-2026-3055 KEV | 8.8 | 9.8 | 0.8002 | good |
CVE-2025-58360 KEV | 8.5 | 8.2 | 0.8139 | good |
CVE-2025-68613 KEV | 8.0 | 9.9 | 0.6707 | good |
CVE-2025-54236 KEV UPD | 7.9 | 9.1 | 0.6743 | good |
CVE-2025-48703 KEV | 7.8 | 9.0 | 0.6740 | good |
CVE-2024-32640 | 7.6 | 9.8 | 0.9372 | good |
CVE-2024-12849 | 7.1 | 7.5 | 0.9304 | good |
CVE-2024-40891 KEV | 7.0 | 8.8 | 0.5324 | good |
CVE-2025-59528 | 7.0 | 10.0 | 0.8387 | good |
CVE-2016-15043 | 7.0 | 9.8 | 0.8474 | good |
CVE-2024-12971 | 6.7 | 8.8 | 0.8315 | good |
CVE-2025-0107 | 6.7 | 9.8 | 0.7953 | good |
CVE-2025-7441 | 6.7 | 9.8 | 0.7894 | good |
CVE-2012-10020 | 6.7 | 9.8 | 0.7821 | good |
CVE-2015-10138 | 6.6 | 9.8 | 0.7730 | good |
CVE-2015-10137 | 6.6 | 9.8 | 0.7724 | good |
CVE-2024-52875 | 6.5 | 8.8 | 0.7966 | good |
CVE-2024-40890 KEV | 6.5 | 8.8 | 0.4588 | good |
CVE-2013-10051 | 6.5 | 9.8 | 0.7581 | good |
CVE-2015-10135 | 6.5 | 9.8 | 0.7566 | good |
CVE-2024-48456 | 6.4 | 7.5 | 0.8126 | good |
CVE-2013-10069 | 6.3 | 9.8 | 0.7168 | good |
CVE-2025-20362 KEV | 6.3 | 6.5 | 0.5014 | good |
CVE-2025-13486 | 6.2 | 9.8 | 0.7131 | good |