CWE · MITRE source
CWE-1104Use of Unmaintained Third Party Components
The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 6 mapping(s) from 5 framework(s): ATT&CK 2 (partial) · OWASP-Web 1 (full) · ASVS 5.0 1 (mostly) · STIG oracle linux 8 1 (partial) · CSF 2.0 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A03:2025 Software Supply Chain Failures.
NIST 800-53 r5 controls that address this weakness (33)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-1 | Policy and Procedures | SA | Policy can require pre-acquisition evaluation of third-party component maintenance status, support lifecycle, and update commitments. |
SA-10 | Developer Configuration Management | SA | Configuration management and explicit tracking of security flaws require identification and remediation of unmaintained or vulnerable third-party components. |
SA-12 | Supply Chain Protection | SA | Supply chain risk management includes supplier assessments that favor maintained and supported third-party components. |
SR-1 | Policy and Procedures | SR | Procedures mandate ongoing assessment of third-party component support status and maintenance, making use of unmaintained components less likely. |
SR-2 | Supply Chain Risk Management Plan | SR | Supply chain planning includes ongoing evaluation of third-party component support and viability, making use of unmaintained components less likely. |
SR-3 | Supply Chain Controls and Processes | SR | Supply chain risk management processes include evaluation and replacement of unmaintained third-party components that introduce exploitable weaknesses. |
PM-15 | Security and Privacy Groups and Associations | PM | Contact with security communities directly informs personnel of unmaintained components and their vulnerabilities, reducing the likelihood of their continued use. |
PM-16 | Threat Awareness Program | PM | Threat intelligence sharing directly informs organizations of newly discovered vulnerabilities and exploitation in third-party components, enabling timely updates or replacement before attackers can leverage them. |
PM-3 | Information Security and Privacy Resources | PM | Resource allocation in investment requests funds regular maintenance, patching, and updates of third-party components. |
MA-1 | Policy and Procedures | MA | The maintenance policy requires regular updates and upkeep of systems and third-party components, directly reducing the presence of unmaintained software that attackers can exploit. |
MA-6 | Timely Maintenance | MA | Requiring quick access to maintenance support and spare parts after failure necessitates using actively supported components rather than unmaintained third-party ones. |
RA-4 | Risk Assessment Update | RA | Periodic risk assessment updates directly detect when third-party components become unmaintained, prompting removal or replacement before attackers can exploit known vulnerabilities. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Regular scanning with updatable vulnerability feeds directly identifies unmaintained third-party components. |
SC-25 | Thin Nodes | SC | Fewer components and services mean reduced attack surface from unmaintained third-party code. |
SC-29 | Heterogeneity | SC | Using multiple distinct technologies reduces systemic dependence on any single third-party component and its potential unmaintained vulnerabilities. |
Show 18 more broadly-applicable controls
SA-13 | Trustworthiness | SA | Makes use of unmaintained third-party components less likely by requiring ongoing trustworthiness assessment of dependencies and suppliers. |
SA-15 | Development Process, Standards, and Tools | SA | Tool and standards review plus change-integrity requirements reduce selection and continued use of unmaintained third-party components. |
SA-19 | Component Authenticity | SA | Requires use of trusted, maintained suppliers and configuration control, making use of unmaintained third-party components far less likely. |
SA-2 | Allocation of Resources | SA | Dedicated security line items in budgets enable ongoing maintenance, patching, and replacement of third-party components that would otherwise be left unmaintained due to lack of allocated resources. |
SA-20 | Customized Development of Critical Components | SA | Custom development replaces unmaintained third-party components with internally controlled code for critical functions. |
SA-22 | Unsupported System Components | SA | Directly prevents continued use of components that receive no further security updates or patches from the vendor. |
SA-3 | System Development Life Cycle | SA | Acquisition and development under a security-aware SDLC includes evaluation of third-party components for maintenance status and known weaknesses before integration. |
SA-4 | Acquisition Process | SA | Explicit supply-chain risk management and acceptance criteria in acquisition contracts directly reduce procurement of unmaintained third-party components. |
SA-6 | Software Usage Restrictions | SA | License and contract compliance requirements can enforce use of only supported, maintained third-party components. |
SR-4 | Provenance | SR | Provenance records include supplier and lifecycle details, enabling ongoing monitoring to avoid unmaintained third-party components. |
SR-5 | Acquisition Strategies, Tools, and Methods | SR | Contract tools and acquisition criteria can explicitly require ongoing vendor support, patching commitments, and avoidance of unmaintained third-party components. |
SR-6 | Supplier Assessments and Reviews | SR | Assessments evaluate supplier maintenance practices, lowering exposure to unmaintained third-party components. |
SR-8 | Notification Agreements | SR | Notification procedures can mandate alerts when third-party components reach end-of-life or lose support, reducing prolonged use of vulnerable components. |
PM-30 | Supply Chain Risk Management Strategy | PM | Organization-wide SCRM policy includes ongoing evaluation of third-party component support lifecycles to avoid unmaintained dependencies. |
SI-2 | Flaw Remediation | SI | Timely identification and installation of updates directly prevents use of unmaintained third-party components whose known flaws remain exploitable. |
SI-5 | Security Alerts, Advisories, and Directives | SI | Ongoing receipt and implementation of security advisories directly enables timely replacement or mitigation of unmaintained third-party components before known vulnerabilities are exploited. |
AT-5 | Contacts with Security Groups and Associations | AT | Security groups frequently discuss maintenance status of third-party components, aiding identification and avoidance of unmaintained ones. |
CM-8 | System Component Inventory | CM | Maintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2023-7102 | 7.0 | 9.8 | 0.4332 | 2023-12-24 |
CVE-2025-40906 UPD | 7.0 | 9.8 | 0.0053 | 2025-05-16 |
CVE-2025-10220 | 7.0 | 9.8 | 0.0069 | 2025-09-10 |
CVE-2025-34192 | 7.0 | 9.8 | 0.0090 | 2025-09-19 |
CVE-2025-34193 | 7.0 | 9.8 | 0.0073 | 2025-09-19 |
CVE-2025-12104 | 7.0 | 9.8 | 0.0037 | 2025-10-23 |
CVE-2022-46871 | 5.5 | 8.8 | 0.0089 | 2022-12-22 |
CVE-2024-35252 | 5.5 | 7.5 | 0.0246 | 2024-06-11 |
CVE-2024-8885 | 5.5 | 8.8 | 0.0011 | 2024-10-02 |
CVE-2024-11999 | 5.5 | 8.8 | 0.0062 | 2024-12-17 |
CVE-2025-3497 UPD | 5.5 | 8.7 | 0.0033 | 2025-07-09 |
CVE-2025-48862 UPD | 5.5 | 7.1 | 0.0011 | 2025-08-14 |
CVE-2025-20010 | 5.5 | 7.8 | 0.0021 | 2025-11-11 |
CVE-2026-41468 | 5.5 | 8.7 | 0.0039 | 2026-04-22 |
CVE-2026-21821 UPD | 5.5 | 8.3 | 0.0021 | 2026-05-13 |
CVE-2023-37524 | 5.5 | 7.7 | 0.0011 | 2026-06-27 |
CVE-2021-22142 | 3.5 | 6.6 | 0.0101 | 2023-11-22 |
CVE-2024-21631 UPD | 3.5 | 6.5 | 0.0060 | 2024-01-03 |
CVE-2025-52658 | 1.5 | 3.5 | 0.0018 | 2025-10-03 |
CVE-2025-55277 | 1.5 | 2.6 | 0.0018 | 2026-03-26 |