Cyber Resilience

CWE · MITRE source

CWE-15External Control of System or Configuration Setting

Abstraction: Base · CVEs in our corpus: 68

One or more system settings or configuration elements can be externally controlled by a user.

Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 21 mapping(s) from 3 framework(s): ATT&CK 12 (partial) · CAPEC 8 (mostly) · OWASP-Web 1 (mostly)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A02:2025 Security Misconfiguration.

NIST 800-53 r5 controls that address this weakness (9)AI

Showing the 5 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
CM-1Policy and ProceduresCMThe policy and procedures establish internal controls and change management for system configuration settings, reducing the feasibility of external unauthorized modifications.
CM-2Baseline ConfigurationCMBaseline configuration under change control directly prevents unauthorized external modification of system or configuration settings.
CM-3Configuration Change ControlCMRequires approval, documentation, and security impact review of all configuration changes, directly preventing unauthorized external control of system settings.
RA-5Vulnerability Monitoring and ScanningRAVulnerability scanners directly detect externally controllable or misconfigured settings using standardized checklists.
SI-22Information DiversitySIProvides fallback sources for configuration or settings when the primary is externally corrupted or controlled.
Show 4 more broadly-applicable controls
CM-4Impact AnalysesCMImpact analysis of configuration changes reduces the risk of deploying settings that permit unauthorized external control.
CM-5Access Restrictions for ChangeCMRestricting changes to system and configuration settings prevents external entities from controlling those settings without approval.
CM-6Configuration SettingsCMEstablishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings.
CM-9Configuration Management PlanCMThe plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2021-384537.09.10.01002021-10-22
CVE-2023-462487.09.00.01092023-10-31
CVE-2024-43267.09.80.00972024-05-16
CVE-2024-386667.09.10.18882025-01-14
CVE-2024-392807.09.10.34172025-01-14
CVE-2024-396027.09.10.02272025-01-14
CVE-2024-397887.09.10.01462025-01-14
CVE-2024-397897.09.10.01032025-01-14
CVE-2024-397907.09.10.01462025-01-14
CVE-2024-397937.09.10.01462025-01-14
CVE-2024-397947.09.10.01032025-01-14
CVE-2024-397957.09.10.01462025-01-14
CVE-2024-397987.09.10.01832025-01-14
CVE-2024-397997.09.10.01282025-01-14
CVE-2024-398007.09.10.01832025-01-14
CVE-2026-227087.09.80.00542026-01-14
CVE-2026-41176 UPD7.09.80.34732026-04-23
CVE-2026-44774 UPD7.09.90.00462026-05-15
CVE-2026-45087 UPD7.010.00.01152026-05-27
CVE-2023-502526.08.30.23902023-12-12
CVE-2024-515446.08.20.13522024-12-05
CVE-2021-313385.57.80.00242021-08-19
CVE-2022-415825.57.50.00472022-10-14
CVE-2021-274065.58.80.00922022-10-14
CVE-2023-323495.58.00.00982023-05-22