CWE · MITRE source
CWE-829Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 28 mapping(s) from 10 framework(s): CAPEC 11 (partial) · ATT&CK 8 (mostly) · ASVS 5.0 2 (partial) · OWASP-Web 1 (full) · STIG oracle linux 8 1 (partial) · STIG oracle linux 9 1 (partial) · STIG rhel 7 1 (partial) · STIG rhel 8 1 (partial) · STIG rhel 9 1 (partial) · STIG windows 10 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A08:2025 Software or Data Integrity Failures.
NIST 800-53 r5 controls that address this weakness (29)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-1 | Policy and Procedures | SA | Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres. |
SA-12 | Supply Chain Protection | SA | Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres. |
SA-13 | Trustworthiness | SA | Limits inclusion of functionality from untrusted sources through supply-chain and component trustworthiness evaluation before integration. |
SR-1 | Policy and Procedures | SR | Supply chain policy and procedures require vetting of external components and suppliers, directly reducing the likelihood of incorporating functionality from untrusted sources. |
SR-10 | Inspection of Systems or Components | SR | Inspection can detect malicious functionality that was included from an untrusted sphere through tampering or supply-chain attack. |
SR-11 | Component Authenticity | SR | Anti-counterfeit procedures directly block inclusion of components originating from untrusted supply-chain actors. |
SC-18 | Mobile Code | SC | Defining acceptable mobile code technologies and authorizing their use prevents inclusion of functionality from untrusted control spheres. |
SC-29 | Heterogeneity | SC | Diversity of sources and implementations limits the blast radius when functionality is drawn from untrusted control spheres. |
SC-35 | External Malicious Code Identification | SC | External identification of malicious code makes inclusion of functionality from untrusted network sources substantially harder to perform undetected. |
CM-10 | Software Usage Restrictions | CM | Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres. |
CM-11 | User-installed Software | CM | Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres. |
CM-8 | System Component Inventory | CM | The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews. |
MA-3 | Maintenance Tools | MA | Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources. |
MP-7 | Media Use | MP | Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources. |
PM-30 | Supply Chain Risk Management Strategy | PM | Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres. |
Show 14 more broadly-applicable controls
SA-19 | Component Authenticity | SA | Mandates acquisition only from trusted suppliers and verified authentic sources, reducing inclusion of functionality from untrusted control spheres. |
SA-20 | Customized Development of Critical Components | SA | Reimplementing critical components avoids pulling in functionality from untrusted external control spheres. |
SA-4 | Acquisition Process | SA | Allocation of supply-chain risk management responsibilities and vetting of the development/operational environment reduce inclusion of functionality from untrusted control spheres. |
SA-6 | Software Usage Restrictions | SA | Software usage restrictions limit inclusion of code obtained from untrusted or non-contracted control spheres. |
SA-7 | User-installed Software | SA | Prevents inclusion of code or functionality obtained from an untrusted user or external source. |
SA-9 | External System Services | SA | Defining oversight, roles, and compliance monitoring for external services directly mitigates risks of including functionality from an untrusted control sphere. |
SR-2 | Supply Chain Risk Management Plan | SR | The control directly mandates assessment and mitigation of risks from external suppliers, reducing inclusion of functionality from untrusted control spheres. |
SR-3 | Supply Chain Controls and Processes | SR | Requiring vetted sources and controls for system components prevents inclusion of functionality obtained from untrusted control spheres. |
SR-4 | Provenance | SR | Documenting component provenance ensures functionality is only included from verified, trusted control spheres rather than untrusted ones. |
SR-5 | Acquisition Strategies, Tools, and Methods | SR | Procurement methods and contract requirements can mandate use of vetted, controlled sources instead of arbitrary third-party or untrusted control spheres. |
SR-6 | Supplier Assessments and Reviews | SR | Supplier assessments directly reduce the likelihood of incorporating functionality from untrusted third-party control spheres. |
SR-8 | Notification Agreements | SR | Agreements establish channels for suppliers to report integrity or compromise issues in included third-party functionality, shrinking the window for exploitation. |
SC-44 | Detonation Chambers | SC | Isolated execution prevents functionality from an untrusted sphere from affecting the real environment, allowing safe behavioral inspection. |
SI-3 | Malicious Code Protection | SI | Detects and prevents inclusion of malicious functionality downloaded from untrusted control spheres. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-32463 KEV UPD | 10.0 | 9.3 | 0.4747 | 2025-06-30 |
CVE-2018-7422 | 8.0 | 7.5 | 0.6310 | 2018-03-19 |
CVE-2018-17246 | 8.0 | 9.8 | 0.8225 | 2018-12-20 |
CVE-2023-2249 | 8.0 | 8.8 | 0.6081 | 2023-06-09 |
CVE-2024-5762 | 8.0 | 8.1 | 0.7160 | 2024-08-21 |
CVE-2004-0030 | 7.0 | 9.8 | 0.0735 | 2004-01-20 |
CVE-2004-0285 | 7.0 | 9.8 | 0.0779 | 2004-11-23 |
CVE-2010-2076 | 7.0 | 9.8 | 0.0979 | 2010-08-19 |
CVE-2017-1376 | 7.0 | 9.8 | 0.0263 | 2017-08-29 |
CVE-2017-5397 | 7.0 | 9.8 | 0.0325 | 2018-06-11 |
CVE-2018-15486 | 7.0 | 9.1 | 0.0206 | 2018-09-07 |
CVE-2019-13589 | 7.0 | 9.8 | 0.0435 | 2019-07-14 |
CVE-2012-4919 | 7.0 | 9.8 | 0.0286 | 2020-01-22 |
CVE-2020-8128 | 7.0 | 9.8 | 0.0269 | 2020-02-14 |
CVE-2020-3794 | 7.0 | 9.8 | 0.0697 | 2020-03-25 |
CVE-2020-4561 | 7.0 | 10.0 | 0.0294 | 2021-06-01 |
CVE-2020-25414 | 7.0 | 9.8 | 0.0203 | 2021-06-17 |
CVE-2021-21804 | 7.0 | 9.8 | 0.0370 | 2021-07-16 |
CVE-2021-32802 | 7.0 | 9.3 | 0.0260 | 2021-09-07 |
CVE-2020-16152 | 7.0 | 9.8 | 0.3505 | 2021-11-14 |
CVE-2022-1161 | 7.0 | 10.0 | 0.0501 | 2022-04-11 |
CVE-2021-41037 | 7.0 | 10.0 | 0.0073 | 2022-07-08 |
CVE-2022-24119 | 7.0 | 9.8 | 0.0073 | 2022-12-26 |
CVE-2023-4488 | 7.0 | 9.8 | 0.0100 | 2023-10-20 |
CVE-2024-35629 | 7.0 | 9.6 | 0.0054 | 2024-06-04 |