Cyber Resilience

CWE · MITRE source

CWE-829Inclusion of Functionality from Untrusted Control Sphere

Abstraction: Base · CVEs in our corpus: 274

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 28 mapping(s) from 10 framework(s): CAPEC 11 (partial) · ATT&CK 8 (mostly) · ASVS 5.0 2 (partial) · OWASP-Web 1 (full) · STIG oracle linux 8 1 (partial) · STIG oracle linux 9 1 (partial) · STIG rhel 7 1 (partial) · STIG rhel 8 1 (partial) · STIG rhel 9 1 (partial) · STIG windows 10 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A08:2025 Software or Data Integrity Failures.

NIST 800-53 r5 controls that address this weakness (29)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SA-1Policy and ProceduresSAProcedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.
SA-12Supply Chain ProtectionSARequires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.
SA-13TrustworthinessSALimits inclusion of functionality from untrusted sources through supply-chain and component trustworthiness evaluation before integration.
SR-1Policy and ProceduresSRSupply chain policy and procedures require vetting of external components and suppliers, directly reducing the likelihood of incorporating functionality from untrusted sources.
SR-10Inspection of Systems or ComponentsSRInspection can detect malicious functionality that was included from an untrusted sphere through tampering or supply-chain attack.
SR-11Component AuthenticitySRAnti-counterfeit procedures directly block inclusion of components originating from untrusted supply-chain actors.
SC-18Mobile CodeSCDefining acceptable mobile code technologies and authorizing their use prevents inclusion of functionality from untrusted control spheres.
SC-29HeterogeneitySCDiversity of sources and implementations limits the blast radius when functionality is drawn from untrusted control spheres.
SC-35External Malicious Code IdentificationSCExternal identification of malicious code makes inclusion of functionality from untrusted network sources substantially harder to perform undetected.
CM-10Software Usage RestrictionsCMLimiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.
CM-11User-installed SoftwareCMEnforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
CM-8System Component InventoryCMThe inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.
MA-3Maintenance ToolsMARequiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.
MP-7Media UseMPUnowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.
PM-30Supply Chain Risk Management StrategyPMStrategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
Show 14 more broadly-applicable controls
SA-19Component AuthenticitySAMandates acquisition only from trusted suppliers and verified authentic sources, reducing inclusion of functionality from untrusted control spheres.
SA-20Customized Development of Critical ComponentsSAReimplementing critical components avoids pulling in functionality from untrusted external control spheres.
SA-4Acquisition ProcessSAAllocation of supply-chain risk management responsibilities and vetting of the development/operational environment reduce inclusion of functionality from untrusted control spheres.
SA-6Software Usage RestrictionsSASoftware usage restrictions limit inclusion of code obtained from untrusted or non-contracted control spheres.
SA-7User-installed SoftwareSAPrevents inclusion of code or functionality obtained from an untrusted user or external source.
SA-9External System ServicesSADefining oversight, roles, and compliance monitoring for external services directly mitigates risks of including functionality from an untrusted control sphere.
SR-2Supply Chain Risk Management PlanSRThe control directly mandates assessment and mitigation of risks from external suppliers, reducing inclusion of functionality from untrusted control spheres.
SR-3Supply Chain Controls and ProcessesSRRequiring vetted sources and controls for system components prevents inclusion of functionality obtained from untrusted control spheres.
SR-4ProvenanceSRDocumenting component provenance ensures functionality is only included from verified, trusted control spheres rather than untrusted ones.
SR-5Acquisition Strategies, Tools, and MethodsSRProcurement methods and contract requirements can mandate use of vetted, controlled sources instead of arbitrary third-party or untrusted control spheres.
SR-6Supplier Assessments and ReviewsSRSupplier assessments directly reduce the likelihood of incorporating functionality from untrusted third-party control spheres.
SR-8Notification AgreementsSRAgreements establish channels for suppliers to report integrity or compromise issues in included third-party functionality, shrinking the window for exploitation.
SC-44Detonation ChambersSCIsolated execution prevents functionality from an untrusted sphere from affecting the real environment, allowing safe behavioral inspection.
SI-3Malicious Code ProtectionSIDetects and prevents inclusion of malicious functionality downloaded from untrusted control spheres.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-32463 KEV UPD10.09.30.47472025-06-30
CVE-2018-74228.07.50.63102018-03-19
CVE-2018-172468.09.80.82252018-12-20
CVE-2023-22498.08.80.60812023-06-09
CVE-2024-57628.08.10.71602024-08-21
CVE-2004-00307.09.80.07352004-01-20
CVE-2004-02857.09.80.07792004-11-23
CVE-2010-20767.09.80.09792010-08-19
CVE-2017-13767.09.80.02632017-08-29
CVE-2017-53977.09.80.03252018-06-11
CVE-2018-154867.09.10.02062018-09-07
CVE-2019-135897.09.80.04352019-07-14
CVE-2012-49197.09.80.02862020-01-22
CVE-2020-81287.09.80.02692020-02-14
CVE-2020-37947.09.80.06972020-03-25
CVE-2020-45617.010.00.02942021-06-01
CVE-2020-254147.09.80.02032021-06-17
CVE-2021-218047.09.80.03702021-07-16
CVE-2021-328027.09.30.02602021-09-07
CVE-2020-161527.09.80.35052021-11-14
CVE-2022-11617.010.00.05012022-04-11
CVE-2021-410377.010.00.00732022-07-08
CVE-2022-241197.09.80.00732022-12-26
CVE-2023-44887.09.80.01002023-10-20
CVE-2024-356297.09.60.00542024-06-04