Cyber Resilience

CWE · MITRE source

CWE-506Embedded Malicious Code

Abstraction: Class · CVEs in our corpus: 85

The product contains code that appears to be malicious in nature.

Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 16 mapping(s) from 5 framework(s): ATT&CK 10 (mostly) · CAPEC 3 (full) · STIG oracle linux 9 1 (partial) · STIG rhel 9 1 (partial) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A08:2025 Software or Data Integrity Failures.

NIST 800-53 r5 controls that address this weakness (35)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SR-1Policy and ProceduresSRSupply chain risk management procedures include controls to detect and prevent insertion of malicious code through suppliers and vendors.
SR-10Inspection of Systems or ComponentsSRDirect inspection of components can detect embedded malicious code inserted through supply-chain or runtime tampering.
SR-11Component AuthenticitySRCounterfeit components are a common vector for embedding malicious code; preventing their entry reduces this exposure.
SA-1Policy and ProceduresSAAcquisition procedures can prescribe integrity checks, code review, and provenance validation to reduce introduction of embedded malicious code.
SA-10Developer Configuration ManagementSARequiring documented, approved changes plus security flaw tracking makes undetected insertion of malicious code substantially harder.
SA-12Supply Chain ProtectionSAThe control mandates vetting suppliers and tamper detection, making it harder for malicious code to be embedded by upstream providers.
SC-18Mobile CodeSCMonitoring mobile code usage enables detection of embedded malicious code delivered through allowed mobile code channels.
SC-25Thin NodesSCReduced code footprint and storage make insertion or persistence of embedded malicious code far less feasible.
SC-29HeterogeneitySCEmbedding malicious code becomes far harder to achieve uniformly when components use heterogeneous languages, runtimes, and hardware.
CM-10Software Usage RestrictionsCMRestricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.
CM-11User-installed SoftwareCMThe control prevents users from installing software that contains embedded malicious code.
CM-8System Component InventoryCMRegular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.
SI-14Non-persistenceSIAny embedded malicious code or backdoor written into an instance is erased at termination, rendering persistence mechanisms ineffective across successive instances.
SI-3Malicious Code ProtectionSIDirectly detects and eradicates embedded malicious code at entry/exit points via periodic and real-time scans.
SI-7Software, Firmware, and Information IntegritySIUnauthorized insertion of malicious code into software or firmware is revealed by integrity monitoring.
Show 20 more broadly-applicable controls
SR-2Supply Chain Risk Management PlanSRA supply chain risk management plan requires vetting suppliers and components to prevent introduction of embedded malicious code throughout the system lifecycle.
SR-3Supply Chain Controls and ProcessesSRIdentifying weaknesses and applying supplier controls reduces the likelihood of embedded malicious code being introduced through procured elements.
SR-4ProvenanceSRValid provenance monitoring makes insertion of embedded malicious code during supply chain or development stages detectable.
SR-5Acquisition Strategies, Tools, and MethodsSRAcquisition strategies can require trusted suppliers, code reviews, and integrity attestations that directly reduce the likelihood of receiving components with embedded malicious code.
SR-6Supplier Assessments and ReviewsSRReviews of suppliers and their deliverables can detect or deter introduction of embedded malicious code.
SR-8Notification AgreementsSRNotification agreements enable suppliers to alert acquirers to discovered or suspected embedded malicious code, directly supporting detection and response.
SR-9Tamper Resistance and DetectionSRTamper detection mechanisms can identify embedded malicious code inserted via supply-chain or runtime tampering.
SA-13TrustworthinessSADirectly reduces risk of embedded malicious code by requiring verification that acquired or developed components perform only as specified without hidden malicious behavior.
SA-19Component AuthenticitySAAuthenticity verification and anti-counterfeit procedures detect and block components that may contain embedded malicious code or backdoors.
SA-20Customized Development of Critical ComponentsSAIn-house development of critical components eliminates the attack surface of vendor-embedded malicious code.
SA-21Developer ScreeningSAScreening developers for trustworthiness and appropriate authorizations directly reduces the likelihood that a malicious insider will intentionally embed malicious code during development.
SA-6Software Usage RestrictionsSAMandating only contract-approved software reduces the chance of introducing binaries that contain embedded malicious code.
SC-34Non-modifiable Executable ProgramsSCPrevents embedding or persistence of malicious code in the OS or specified applications since the media cannot be written.
SC-44Detonation ChambersSCDetonation chambers directly detect and analyze embedded malicious code by executing it in isolation before it reaches production systems.
RA-10Threat HuntingRAThe capability explicitly searches for embedded malicious code and backdoors as indicators of compromise.
RA-6Technical Surveillance Countermeasures SurveyRATSCM directly targets and removes embedded malicious hardware or code planted for ongoing technical surveillance.
CP-10System Recovery and ReconstitutionCPReverting to a known state removes any malicious code embedded by an attacker.
MA-3Maintenance ToolsMAThe approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.
PM-30Supply Chain Risk Management StrategyPMSupply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.
PS-2Position Risk DesignationPSBackground screening for development or deployment roles makes intentional insertion of malicious code by insiders materially harder to accomplish.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2024-4978 KEV10.08.40.26942024-05-23
CVE-2025-30066 KEV10.08.60.41012025-03-15
CVE-2025-30154 KEV10.08.60.02302025-03-19
CVE-2025-54313 KEV UPD10.07.50.04152025-07-19
CVE-2025-59374 KEV10.09.80.01082025-12-17
CVE-2026-33634 KEV10.08.80.60372026-03-23
CVE-2026-45321 KEV UPD10.09.60.02342026-05-12
CVE-2026-8398 KEV UPD10.09.80.01462026-05-15
CVE-2026-48027 KEV UPD10.09.80.01852026-05-27
CVE-2024-3094 UPD8.010.00.85972024-03-29
CVE-2017-161287.09.80.01462018-06-07
CVE-2020-151657.09.30.01322020-08-28
CVE-2023-20037.09.10.00912023-07-13
CVE-2025-108947.09.60.00532025-09-24
CVE-2026-319767.09.80.00502026-03-11
CVE-2026-348417.09.80.00232026-04-06
CVE-2026-344247.09.80.00552026-04-09
CVE-2026-64437.09.80.00502026-04-17
CVE-2026-44484 UPD7.09.80.00392026-05-14
CVE-2026-45758 UPD7.09.60.00282026-06-05
CVE-2017-160475.57.50.01272018-05-29
CVE-2017-160615.57.50.01112018-05-29
CVE-2017-160625.57.50.01082018-05-29
CVE-2017-160445.57.50.01472018-06-04
CVE-2017-160455.57.50.01122018-06-04