CWE · MITRE source
CWE-15External Control of System or Configuration Setting
One or more system settings or configuration elements can be externally controlled by a user.
Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 21 mapping(s) from 3 framework(s): ATT&CK 12 (partial) · CAPEC 8 (mostly) · OWASP-Web 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A02:2025 Security Misconfiguration.
NIST 800-53 r5 controls that address this weakness (9)AI
Showing the 5 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CM-1 | Policy and Procedures | CM | The policy and procedures establish internal controls and change management for system configuration settings, reducing the feasibility of external unauthorized modifications. |
CM-2 | Baseline Configuration | CM | Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings. |
CM-3 | Configuration Change Control | CM | Requires approval, documentation, and security impact review of all configuration changes, directly preventing unauthorized external control of system settings. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Vulnerability scanners directly detect externally controllable or misconfigured settings using standardized checklists. |
SI-22 | Information Diversity | SI | Provides fallback sources for configuration or settings when the primary is externally corrupted or controlled. |
Show 4 more broadly-applicable controls
CM-4 | Impact Analyses | CM | Impact analysis of configuration changes reduces the risk of deploying settings that permit unauthorized external control. |
CM-5 | Access Restrictions for Change | CM | Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval. |
CM-6 | Configuration Settings | CM | Establishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings. |
CM-9 | Configuration Management Plan | CM | The plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-38453 | 7.0 | 9.1 | 0.0100 | 2021-10-22 |
CVE-2023-46248 | 7.0 | 9.0 | 0.0109 | 2023-10-31 |
CVE-2024-4326 | 7.0 | 9.8 | 0.0097 | 2024-05-16 |
CVE-2024-38666 | 7.0 | 9.1 | 0.1888 | 2025-01-14 |
CVE-2024-39280 | 7.0 | 9.1 | 0.3417 | 2025-01-14 |
CVE-2024-39602 | 7.0 | 9.1 | 0.0227 | 2025-01-14 |
CVE-2024-39788 | 7.0 | 9.1 | 0.0146 | 2025-01-14 |
CVE-2024-39789 | 7.0 | 9.1 | 0.0103 | 2025-01-14 |
CVE-2024-39790 | 7.0 | 9.1 | 0.0146 | 2025-01-14 |
CVE-2024-39793 | 7.0 | 9.1 | 0.0146 | 2025-01-14 |
CVE-2024-39794 | 7.0 | 9.1 | 0.0103 | 2025-01-14 |
CVE-2024-39795 | 7.0 | 9.1 | 0.0146 | 2025-01-14 |
CVE-2024-39798 | 7.0 | 9.1 | 0.0183 | 2025-01-14 |
CVE-2024-39799 | 7.0 | 9.1 | 0.0128 | 2025-01-14 |
CVE-2024-39800 | 7.0 | 9.1 | 0.0183 | 2025-01-14 |
CVE-2026-22708 | 7.0 | 9.8 | 0.0054 | 2026-01-14 |
CVE-2026-41176 UPD | 7.0 | 9.8 | 0.3473 | 2026-04-23 |
CVE-2026-44774 UPD | 7.0 | 9.9 | 0.0046 | 2026-05-15 |
CVE-2026-45087 UPD | 7.0 | 10.0 | 0.0115 | 2026-05-27 |
CVE-2023-50252 | 6.0 | 8.3 | 0.2390 | 2023-12-12 |
CVE-2024-51544 | 6.0 | 8.2 | 0.1352 | 2024-12-05 |
CVE-2021-31338 | 5.5 | 7.8 | 0.0024 | 2021-08-19 |
CVE-2022-41582 | 5.5 | 7.5 | 0.0047 | 2022-10-14 |
CVE-2021-27406 | 5.5 | 8.8 | 0.0092 | 2022-10-14 |
CVE-2023-32349 | 5.5 | 8.0 | 0.0098 | 2023-05-22 |