CWE · MITRE source
CWE-669Incorrect Resource Transfer Between Spheres
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 1 mapping(s) from 1 framework(s): ATT&CK 1 (mostly)
NIST 800-53 r5 controls that address this weakness (5)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-32 | System Partitioning | SC | Reduces incorrect transfers between spheres by establishing clear, separate domains for different sensitivities or functions. |
SC-46 | Cross Domain Policy Enforcement | SC | It governs all resource transfers between spheres, preventing incorrect or unauthorized movement of data or capabilities across domain interfaces. |
AC-4 | Information Flow Enforcement | AC | Enforces proper authorization rules for any resource or data transfer between different spheres. |
MP-5 | Media Transport | MP | Accountability, documentation, and protection requirements ensure correct transfer of media resources between spheres. |
SR-12 | Component Disposal | SR | Addresses incorrect transfer of resources to an uncontrolled sphere by requiring approved destruction or sanitization methods. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-22900 KEV | 10.0 | 7.2 | 0.1415 | 2021-05-27 |
CVE-2026-31431 KEV UPD | 10.0 | 7.8 | 0.9627 | 2026-04-22 |
CVE-2016-5062 | 7.0 | 9.8 | 0.0390 | 2016-09-29 |
CVE-2019-13025 | 7.0 | 9.8 | 0.0332 | 2019-10-02 |
CVE-2020-15892 | 7.0 | 9.8 | 0.0164 | 2020-07-22 |
CVE-2020-5800 | 7.0 | 9.8 | 0.0156 | 2020-12-07 |
CVE-2020-24683 | 7.0 | 9.8 | 0.0141 | 2020-12-22 |
CVE-2021-30120 | 7.0 | 9.9 | 0.0570 | 2021-07-09 |
CVE-2022-20658 | 7.0 | 9.6 | 0.0139 | 2022-01-14 |
CVE-2022-4446 | 7.0 | 9.8 | 0.0127 | 2022-12-13 |
CVE-2023-31114 | 7.0 | 9.1 | 0.0056 | 2023-06-07 |
CVE-2025-67895 | 7.0 | 9.8 | 0.0082 | 2025-12-17 |
CVE-2002-0055 | 6.0 | 0.0 | 0.3756 | 2002-03-08 |
CVE-2020-1048 | 6.0 | 7.8 | 0.1650 | 2020-05-21 |
CVE-2019-10248 | 5.5 | 8.1 | 0.0043 | 2019-04-22 |
CVE-2019-11875 | 5.5 | 8.8 | 0.0227 | 2019-05-24 |
CVE-2019-11770 | 5.5 | 8.1 | 0.0126 | 2019-06-14 |
CVE-2019-1020011 | 5.5 | 7.2 | 0.0132 | 2019-07-29 |
CVE-2018-17791 | 5.5 | 7.5 | 0.0191 | 2019-08-21 |
CVE-2019-13263 | 5.5 | 8.8 | 0.0117 | 2019-08-27 |
CVE-2019-13266 | 5.5 | 8.8 | 0.0097 | 2019-08-27 |
CVE-2012-2979 | 5.5 | 7.5 | 0.0174 | 2019-11-01 |
CVE-2020-25917 | 5.5 | 8.8 | 0.0124 | 2020-12-26 |
CVE-2021-20411 | 5.5 | 8.1 | 0.0040 | 2021-02-12 |
CVE-2021-21531 | 5.5 | 8.1 | 0.0069 | 2021-04-30 |