CWE · MITRE source
CWE-552Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.
Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 16 mapping(s) from 4 framework(s): ATT&CK 11 (mostly) · CAPEC 2 (partial) · STIG oracle linux 8 2 (partial) · OWASP-Web 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (18)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
PM-1 | Information Security Program Plan | PM | Explicit protection requirements make it harder for the plan document to remain accessible to external parties or unauthorized spheres. |
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Procedures ensure CUI files and resources are not made accessible to external parties without required protections. |
PM-5 | System Inventory | PM | Enumerating systems surfaces externally reachable resources that would otherwise remain unmonitored and accessible. |
CM-10 | Software Usage Restrictions | CM | Controlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution. |
CM-12 | Information Location | CM | Identifying and documenting file and directory locations allows restriction of access to external parties. |
MP-1 | Policy and Procedures | MP | Policy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors. |
MP-2 | Media Access | MP | Media access restrictions prevent files or directories from being accessible to external parties. |
PE-17 | Alternate Work Site | PE | Employing and evaluating controls at documented alternate sites makes files and directories less likely to be accessible to external parties through physical or environmental weaknesses. |
PE-3 | Physical Access Control | PE | Controls access to facility areas (including publicly accessible zones) to prevent external parties from reaching internal resources or sensitive locations. |
SC-14 | Public Access Protections | SC | Prevents public exposure of files or directories that should not be reachable by unauthenticated parties. |
SC-26 | Decoys | SC | Decoy files and directories detect external access attempts and deflect attackers away from actual accessible resources. |
AC-22 | Publicly Accessible Content | AC | Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties. |
CP-9 | System Backup | CP | Protecting backup files ensures they are not accessible to external parties or unauthorized spheres. |
MA-2 | Controlled Maintenance | MA | Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties. |
RA-2 | Security Categorization | RA | Categorization results dictate which files and directories must be restricted, making unauthorized external access less likely. |
Show 3 more broadly-applicable controls
SA-6 | Software Usage Restrictions | SA | Explicit controls on peer-to-peer file sharing prevent files and directories from being made accessible to external parties without authorization. |
SI-20 | Tainting | SI | Detects improper removal of data from files or directories that are accessible to external parties. |
SR-7 | Supply Chain Operations Security | SR | Controls ensure files and directories holding supply-chain data are not left accessible to unauthorized actors. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2016-3715 KEV | 10.0 | 5.5 | 0.7538 | 2016-05-05 |
CVE-2017-16651 KEV | 10.0 | 7.8 | 0.4283 | 2017-11-09 |
CVE-2020-17519 KEV | 10.0 | 7.5 | 0.9786 | 2021-01-05 |
CVE-2025-48928 KEV UPD | 10.0 | 4.0 | 0.0037 | 2025-05-28 |
CVE-2025-11371 KEV | 10.0 | 7.5 | 0.9209 | 2025-10-09 |
CVE-2017-14942 | 8.0 | 9.8 | 0.6086 | 2017-09-30 |
CVE-2020-15175 | 8.0 | 7.4 | 0.7135 | 2020-10-07 |
CVE-2021-39316 | 8.0 | 7.5 | 0.6654 | 2021-08-31 |
CVE-2023-2766 | 8.0 | 5.3 | 0.5423 | 2023-05-17 |
CVE-2023-50164 | 8.0 | 9.8 | 0.8082 | 2023-12-07 |
CVE-2024-39931 | 8.0 | 9.9 | 0.5070 | 2024-07-04 |
CVE-2024-53676 | 8.0 | 9.8 | 0.5134 | 2024-11-27 |
CVE-2015-5211 | 7.0 | 9.6 | 0.0257 | 2017-05-25 |
CVE-2017-10930 | 7.0 | 9.8 | 0.0108 | 2017-09-19 |
CVE-2019-19843 | 7.0 | 9.8 | 0.0182 | 2020-01-22 |
CVE-2020-12743 | 7.0 | 9.8 | 0.0151 | 2020-05-11 |
CVE-2020-10516 | 7.0 | 9.8 | 0.0159 | 2020-06-03 |
CVE-2021-1361 | 7.0 | 9.8 | 0.0157 | 2021-02-24 |
CVE-2018-10867 | 7.0 | 9.1 | 0.0107 | 2021-05-26 |
CVE-2021-43821 | 7.0 | 9.9 | 0.0196 | 2021-12-14 |
CVE-2022-25299 | 7.0 | 9.8 | 0.0141 | 2022-02-18 |
CVE-2021-32008 | 7.0 | 9.9 | 0.0098 | 2022-03-04 |
CVE-2023-31066 | 7.0 | 9.1 | 0.0135 | 2023-05-22 |
CVE-2023-29931 | 7.0 | 9.8 | 0.0089 | 2023-06-22 |
CVE-2023-5199 | 7.0 | 9.9 | 0.0138 | 2023-10-30 |