NIST 800-53 r5 · Controls catalogue · Family SC
SC-18Mobile Code
Define acceptable and unacceptable mobile code and mobile code technologies; and Authorize, monitor, and control the use of mobile code within the system.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (38)
- T1021.003 Distributed Component Object Model Lateral Movement
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.001 Dynamic-link Library Injection Stealth, Privilege Escalation
- T1055.002 Portable Executable Injection Stealth, Privilege Escalation
- T1055.003 Thread Execution Hijacking Stealth, Privilege Escalation
- T1055.004 Asynchronous Procedure Call Stealth, Privilege Escalation
- T1055.005 Thread Local Storage Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1055.011 Extra Window Memory Injection Stealth, Privilege Escalation
- T1055.012 Process Hollowing Stealth, Privilege Escalation
- T1055.013 Process Doppelgänging Stealth, Privilege Escalation
- T1055.014 VDSO Hijacking Stealth, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.005 Visual Basic Execution
- T1059.007 JavaScript Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1127.002 ClickOnce Stealth, Execution
- T1137 Office Application Startup Persistence
- T1137.001 Office Template Macros Persistence
- T1137.002 Office Test Persistence
- T1137.003 Outlook Forms Persistence
- T1137.004 Outlook Home Page Persistence
- T1137.005 Outlook Rules Persistence
- T1137.006 Add-ins Persistence
- T1189 Drive-by Compromise Initial Access
- T1190 Exploit Public-Facing Application Initial Access
- T1203 Exploitation for Client Execution Execution
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
- T1218.001 Compiled HTML File Stealth
- T1218.015 Electron Applications Stealth
- T1548 Abuse Elevation Control Mechanism Privilege Escalation
- T1548.004 Elevated Execution with Prompt Privilege Escalation
- T1559 Inter-Process Communication Execution
- T1559.001 Component Object Model Execution
- T1559.002 Dynamic Data Exchange Execution
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Defining acceptable mobile code technologies and authorizing their use prevents inclusion of functionality from untrusted control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | Authorizing and controlling mobile code requires verifying origin and integrity before download/execution, directly preventing this weakness. |
CWE-913 | Improper Control of Dynamically-Managed Code Resources | 107 | Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources. |
CWE-506 | Embedded Malicious Code | 80 | Monitoring mobile code usage enables detection of embedded malicious code delivered through allowed mobile code channels. |
CWE-830 | Inclusion of Web Functionality from an Untrusted Source | 12 | Restricting mobile code technologies and monitoring their use blocks web functionality (e.g., scripts) loaded from untrusted sources. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-30957 | 2.0 | 9.9 | 0.0010 | good |
CVE-2026-30887 | 2.0 | 9.9 | 0.0006 | good |
CVE-2026-25641 | 2.0 | 10.0 | 0.0002 | good |
CVE-2025-5120 | 2.0 | 10.0 | 0.0040 | good |
CVE-2026-39911 | 1.8 | 8.8 | 0.0012 | good |
CVE-2026-40156 | 1.6 | 7.8 | 0.0003 | good |
CVE-2025-0982 | 2.0 | 10.0 | 0.0007 | good |
CVE-2026-41265 | 2.0 | 9.8 | 0.0017 | good |
CVE-2026-22208 | 1.9 | 9.6 | 0.0023 | good |
CVE-2026-0500 | 1.9 | 9.6 | 0.0012 | good |
CVE-2026-6859 | 1.8 | 8.8 | 0.0013 | good |
CVE-2026-27893 | 1.8 | 8.8 | 0.0003 | good |
CVE-2026-26056 | 1.8 | 8.8 | 0.0006 | good |
CVE-2026-22771 | 1.8 | 8.8 | 0.0000 | good |
CVE-2025-51464 | 1.8 | 8.8 | 0.0070 | good |
CVE-2025-0118 | 1.7 | 8.0 | 0.0099 | good |
CVE-2026-34217 | 1.4 | 7.2 | 0.0007 | partial |
CVE-2025-66448 | 1.4 | 7.1 | 0.0004 | good |
CVE-2026-3774 | 0.9 | 4.7 | 0.0002 | good |
CVE-2025-1015 | 2.5 | 5.4 | 0.2377 | good |
CVE-2026-33396 | 2.0 | 9.9 | 0.0097 | partial |
CVE-2026-40911 | 2.0 | 10.0 | 0.0029 | good |
CVE-2026-28505 | 2.0 | 10.0 | 0.0003 | partial |
CVE-2026-24118 | 2.0 | 9.8 | 0.0013 | good |
CVE-2026-22709 | 2.0 | 9.8 | 0.0005 | partial |