Cyber Resilience

CWE · MITRE source

CWE-642External Control of Critical State Data

Abstraction: Class · CVEs in our corpus: 16

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

If an attacker can modify the state information without detection, then it could be used to perform unauthorized actions or access unexpected resources, since the application programmer does not expect that the state can be changed. State information can be stored in various locations such as a cookie, in a hidden web form field, input parameter or argument, an environment variable, a database record, within a settings file, etc. All of these locations have the potential to be modified by an attacker. When this state information is used to control security or determine resource usage, then it may create a vulnerability. For example, an application may perform authentication, then save the state in an "authenticated=true" cookie. An attacker may simply create this cookie in order to bypass the authentication.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 16 mapping(s) from 6 framework(s): ATT&CK 9 (mostly) · STIG oracle linux 9 2 (mostly) · CAPEC 2 (partial) · STIG oracle linux 8 1 (mostly) · OWASP-Web 1 (mostly) · STIG rhel 7 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A06:2025 Insecure Design.

NIST 800-53 r5 controls that address this weakness (4)AI

Control Title Family Why it addresses this CWE
SI-22Information DiversitySIDirectly counters external corruption or unavailability of critical state data by mandating and using alternative sources for essential functions.
SI-9Information Input RestrictionsSILimits external actors' ability to control critical state through input channels.
CM-3Configuration Change ControlCMMonitors, approves, and documents changes to critical configuration state data, mitigating external control risks.
IA-4Identifier ManagementIARequires authorization and prevents reuse, mitigating external control of critical identifier state data.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2018-153825.58.60.01282018-10-05
CVE-2019-94965.57.50.05222019-04-17
CVE-2020-278725.58.80.00902021-02-04
CVE-2023-05755.57.20.00782023-02-09
CVE-2025-490905.57.10.00422025-10-02
CVE-2026-29146 UPD5.57.50.03492026-04-09
CVE-2017-09283.56.10.01042018-06-04
CVE-2020-19763.54.70.00282020-02-12
CVE-2020-261863.56.80.00362021-01-08
CVE-2022-221543.56.80.00242022-01-19
CVE-2022-328593.55.30.00532022-11-01
CVE-2024-223873.56.80.00312024-07-11
CVE-2024-87543.56.40.00412024-09-12
CVE-2025-54566 UPD3.54.20.00242025-07-25
CVE-2025-267873.54.70.00132025-12-22
CVE-2024-58265 UPD1.53.10.00392025-07-27