Cyber Resilience

CWE · MITRE source

CWE-552Files or Directories Accessible to External Parties

Abstraction: Base · CVEs in our corpus: 478

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 16 mapping(s) from 4 framework(s): ATT&CK 11 (mostly) · CAPEC 2 (partial) · STIG oracle linux 8 2 (partial) · OWASP-Web 1 (mostly)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A01:2025 Broken Access Control.

NIST 800-53 r5 controls that address this weakness (18)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
PM-1Information Security Program PlanPMExplicit protection requirements make it harder for the plan document to remain accessible to external parties or unauthorized spheres.
PM-17Protecting Controlled Unclassified Information on External SystemsPMProcedures ensure CUI files and resources are not made accessible to external parties without required protections.
PM-5System InventoryPMEnumerating systems surfaces externally reachable resources that would otherwise remain unmonitored and accessible.
CM-10Software Usage RestrictionsCMControlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution.
CM-12Information LocationCMIdentifying and documenting file and directory locations allows restriction of access to external parties.
MP-1Policy and ProceduresMPPolicy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors.
MP-2Media AccessMPMedia access restrictions prevent files or directories from being accessible to external parties.
PE-17Alternate Work SitePEEmploying and evaluating controls at documented alternate sites makes files and directories less likely to be accessible to external parties through physical or environmental weaknesses.
PE-3Physical Access ControlPEControls access to facility areas (including publicly accessible zones) to prevent external parties from reaching internal resources or sensitive locations.
SC-14Public Access ProtectionsSCPrevents public exposure of files or directories that should not be reachable by unauthenticated parties.
SC-26DecoysSCDecoy files and directories detect external access attempts and deflect attackers away from actual accessible resources.
AC-22Publicly Accessible ContentACControls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties.
CP-9System BackupCPProtecting backup files ensures they are not accessible to external parties or unauthorized spheres.
MA-2Controlled MaintenanceMASanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties.
RA-2Security CategorizationRACategorization results dictate which files and directories must be restricted, making unauthorized external access less likely.
Show 3 more broadly-applicable controls
SA-6Software Usage RestrictionsSAExplicit controls on peer-to-peer file sharing prevent files and directories from being made accessible to external parties without authorization.
SI-20TaintingSIDetects improper removal of data from files or directories that are accessible to external parties.
SR-7Supply Chain Operations SecuritySRControls ensure files and directories holding supply-chain data are not left accessible to unauthorized actors.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2016-3715 KEV10.05.50.75382016-05-05
CVE-2017-16651 KEV10.07.80.42832017-11-09
CVE-2020-17519 KEV10.07.50.97862021-01-05
CVE-2025-48928 KEV UPD10.04.00.00372025-05-28
CVE-2025-11371 KEV10.07.50.92092025-10-09
CVE-2017-149428.09.80.60862017-09-30
CVE-2020-151758.07.40.71352020-10-07
CVE-2021-393168.07.50.66542021-08-31
CVE-2023-27668.05.30.54232023-05-17
CVE-2023-501648.09.80.80822023-12-07
CVE-2024-399318.09.90.50702024-07-04
CVE-2024-536768.09.80.51342024-11-27
CVE-2015-52117.09.60.02572017-05-25
CVE-2017-109307.09.80.01082017-09-19
CVE-2019-198437.09.80.01822020-01-22
CVE-2020-127437.09.80.01512020-05-11
CVE-2020-105167.09.80.01592020-06-03
CVE-2021-13617.09.80.01572021-02-24
CVE-2018-108677.09.10.01072021-05-26
CVE-2021-438217.09.90.01962021-12-14
CVE-2022-252997.09.80.01412022-02-18
CVE-2021-320087.09.90.00982022-03-04
CVE-2023-310667.09.10.01352023-05-22
CVE-2023-299317.09.80.00892023-06-22
CVE-2023-51997.09.90.01382023-10-30