Cyber Resilience

CWE · MITRE source

CWE-1104Use of Unmaintained Third Party Components

Abstraction: Base · CVEs in our corpus: 20

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

Last updated: 04 July 2026 08:17 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 6 mapping(s) from 5 framework(s): ATT&CK 2 (partial) · OWASP-Web 1 (full) · ASVS 5.0 1 (mostly) · STIG oracle linux 8 1 (partial) · CSF 2.0 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A03:2025 Software Supply Chain Failures.

NIST 800-53 r5 controls that address this weakness (33)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SA-1Policy and ProceduresSAPolicy can require pre-acquisition evaluation of third-party component maintenance status, support lifecycle, and update commitments.
SA-10Developer Configuration ManagementSAConfiguration management and explicit tracking of security flaws require identification and remediation of unmaintained or vulnerable third-party components.
SA-12Supply Chain ProtectionSASupply chain risk management includes supplier assessments that favor maintained and supported third-party components.
SR-1Policy and ProceduresSRProcedures mandate ongoing assessment of third-party component support status and maintenance, making use of unmaintained components less likely.
SR-2Supply Chain Risk Management PlanSRSupply chain planning includes ongoing evaluation of third-party component support and viability, making use of unmaintained components less likely.
SR-3Supply Chain Controls and ProcessesSRSupply chain risk management processes include evaluation and replacement of unmaintained third-party components that introduce exploitable weaknesses.
PM-15Security and Privacy Groups and AssociationsPMContact with security communities directly informs personnel of unmaintained components and their vulnerabilities, reducing the likelihood of their continued use.
PM-16Threat Awareness ProgramPMThreat intelligence sharing directly informs organizations of newly discovered vulnerabilities and exploitation in third-party components, enabling timely updates or replacement before attackers can leverage them.
PM-3Information Security and Privacy ResourcesPMResource allocation in investment requests funds regular maintenance, patching, and updates of third-party components.
MA-1Policy and ProceduresMAThe maintenance policy requires regular updates and upkeep of systems and third-party components, directly reducing the presence of unmaintained software that attackers can exploit.
MA-6Timely MaintenanceMARequiring quick access to maintenance support and spare parts after failure necessitates using actively supported components rather than unmaintained third-party ones.
RA-4Risk Assessment UpdateRAPeriodic risk assessment updates directly detect when third-party components become unmaintained, prompting removal or replacement before attackers can exploit known vulnerabilities.
RA-5Vulnerability Monitoring and ScanningRARegular scanning with updatable vulnerability feeds directly identifies unmaintained third-party components.
SC-25Thin NodesSCFewer components and services mean reduced attack surface from unmaintained third-party code.
SC-29HeterogeneitySCUsing multiple distinct technologies reduces systemic dependence on any single third-party component and its potential unmaintained vulnerabilities.
Show 18 more broadly-applicable controls
SA-13TrustworthinessSAMakes use of unmaintained third-party components less likely by requiring ongoing trustworthiness assessment of dependencies and suppliers.
SA-15Development Process, Standards, and ToolsSATool and standards review plus change-integrity requirements reduce selection and continued use of unmaintained third-party components.
SA-19Component AuthenticitySARequires use of trusted, maintained suppliers and configuration control, making use of unmaintained third-party components far less likely.
SA-2Allocation of ResourcesSADedicated security line items in budgets enable ongoing maintenance, patching, and replacement of third-party components that would otherwise be left unmaintained due to lack of allocated resources.
SA-20Customized Development of Critical ComponentsSACustom development replaces unmaintained third-party components with internally controlled code for critical functions.
SA-22Unsupported System ComponentsSADirectly prevents continued use of components that receive no further security updates or patches from the vendor.
SA-3System Development Life CycleSAAcquisition and development under a security-aware SDLC includes evaluation of third-party components for maintenance status and known weaknesses before integration.
SA-4Acquisition ProcessSAExplicit supply-chain risk management and acceptance criteria in acquisition contracts directly reduce procurement of unmaintained third-party components.
SA-6Software Usage RestrictionsSALicense and contract compliance requirements can enforce use of only supported, maintained third-party components.
SR-4ProvenanceSRProvenance records include supplier and lifecycle details, enabling ongoing monitoring to avoid unmaintained third-party components.
SR-5Acquisition Strategies, Tools, and MethodsSRContract tools and acquisition criteria can explicitly require ongoing vendor support, patching commitments, and avoidance of unmaintained third-party components.
SR-6Supplier Assessments and ReviewsSRAssessments evaluate supplier maintenance practices, lowering exposure to unmaintained third-party components.
SR-8Notification AgreementsSRNotification procedures can mandate alerts when third-party components reach end-of-life or lose support, reducing prolonged use of vulnerable components.
PM-30Supply Chain Risk Management StrategyPMOrganization-wide SCRM policy includes ongoing evaluation of third-party component support lifecycles to avoid unmaintained dependencies.
SI-2Flaw RemediationSITimely identification and installation of updates directly prevents use of unmaintained third-party components whose known flaws remain exploitable.
SI-5Security Alerts, Advisories, and DirectivesSIOngoing receipt and implementation of security advisories directly enables timely replacement or mitigation of unmaintained third-party components before known vulnerabilities are exploited.
AT-5Contacts with Security Groups and AssociationsATSecurity groups frequently discuss maintenance status of third-party components, aiding identification and avoidance of unmaintained ones.
CM-8System Component InventoryCMMaintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2023-71027.09.80.43322023-12-24
CVE-2025-40906 UPD7.09.80.00532025-05-16
CVE-2025-102207.09.80.00692025-09-10
CVE-2025-341927.09.80.00902025-09-19
CVE-2025-341937.09.80.00732025-09-19
CVE-2025-121047.09.80.00372025-10-23
CVE-2022-468715.58.80.00892022-12-22
CVE-2024-352525.57.50.02462024-06-11
CVE-2024-88855.58.80.00112024-10-02
CVE-2024-119995.58.80.00622024-12-17
CVE-2025-3497 UPD5.58.70.00332025-07-09
CVE-2025-48862 UPD5.57.10.00112025-08-14
CVE-2025-200105.57.80.00212025-11-11
CVE-2026-414685.58.70.00392026-04-22
CVE-2026-21821 UPD5.58.30.00212026-05-13
CVE-2023-375245.57.70.00112026-06-27
CVE-2021-221423.56.60.01012023-11-22
CVE-2024-21631 UPD3.56.50.00602024-01-03
CVE-2025-526581.53.50.00182025-10-03
CVE-2025-552771.52.60.00182026-03-26