NIST 800-53 r5 · Controls catalogue · Family SA
SA-22Unsupported System Components
Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (6)
- T1189 Drive-by Compromise Initial Access
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1543 Create or Modify System Process Persistence, Privilege Escalation
- T1543.002 Systemd Service Persistence, Privilege Escalation
Weaknesses this control addresses (2)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Directly prevents continued use of components that receive no further security updates or patches from the vendor. |
CWE-477 | Use of Obsolete Function | 16 | Eliminates reliance on functions or components explicitly declared obsolete and unsupported by their maintainers. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2023-52163 KEV | 7.9 | 8.8 | 0.6950 | good |
CVE-2025-59374 KEV | 6.0 | 9.8 | 0.3475 | good |
CVE-2016-15057 | 3.7 | 9.9 | 0.2889 | good |
CVE-2025-2620 | 3.5 | 9.8 | 0.2640 | good |
CVE-2025-10666 | 2.1 | 8.8 | 0.0637 | good |
CVE-2026-3485 | 2.0 | 9.8 | 0.0046 | good |
CVE-2025-15471 | 2.0 | 9.8 | 0.0128 | good |
CVE-2025-0982 | 2.0 | 10.0 | 0.0007 | good |
CVE-2025-2619 | 2.0 | 9.8 | 0.0036 | good |
CVE-2026-4184 | 2.0 | 9.8 | 0.0027 | good |
CVE-2026-4183 | 2.0 | 9.8 | 0.0027 | good |
CVE-2025-13188 | 2.0 | 9.8 | 0.0035 | good |
CVE-2025-2618 | 2.0 | 9.8 | 0.0036 | good |
CVE-2026-4182 | 2.0 | 9.8 | 0.0027 | good |
CVE-2026-4181 | 2.0 | 9.8 | 0.0027 | good |
CVE-2025-2621 | 2.0 | 9.8 | 0.0036 | good |
CVE-2025-15194 | 2.0 | 9.8 | 0.0025 | good |
CVE-2026-41873 | 2.0 | 9.8 | 0.0016 | good |
CVE-2024-12016 | 2.0 | 9.8 | 0.0010 | good |
CVE-2026-42374 | 2.0 | 9.8 | 0.0016 | good |
CVE-2026-42376 | 2.0 | 9.8 | 0.0006 | good |
CVE-2026-42375 | 2.0 | 9.8 | 0.0012 | good |
CVE-2026-42373 | 2.0 | 9.8 | 0.0012 | good |
CVE-2025-66050 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-10220 | 2.0 | 9.8 | 0.0089 | good |