NIST 800-53 r5 · Controls catalogue · Family SI
SI-15Information Output Filtering
Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: {{ insert: param, si-15_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (42)
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.005 VNC Lateral Movement
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1071.004 DNS Command And Control
- T1090 Proxy Command And Control
- T1090.003 Multi-hop Proxy Command And Control
- T1095 Non-Application Layer Protocol Command And Control
- T1187 Forced Authentication Credential Access
- T1197 BITS Jobs Stealth, Persistence, Execution
- T1205 Traffic Signaling Stealth, Persistence, Command And Control
- T1205.001 Port Knocking Stealth, Persistence, Command And Control
- T1218.012 Verclsid Stealth
- T1218.015 Electron Applications Stealth
- T1219 Remote Access Tools Command And Control
- T1498 Network Denial of Service Impact
- T1498.001 Direct Network Flood Impact
- T1498.002 Reflection Amplification Impact
- T1499 Endpoint Denial of Service Impact
- T1499.001 OS Exhaustion Flood Impact
- T1499.002 Service Exhaustion Flood Impact
- T1499.003 Application Exhaustion Flood Impact
- T1499.004 Application or System Exploitation Impact
- T1530 Data from Cloud Storage Collection
- T1537 Transfer Data to Cloud Account Exfiltration
- T1552 Unsecured Credentials Credential Access
- T1552.005 Cloud Instance Metadata API Credential Access
- T1557 Adversary-in-the-Middle Credential Access, Collection
- T1557.001 Name Resolution Poisoning and SMB Relay Credential Access, Collection
- T1557.002 ARP Cache Poisoning Credential Access, Collection
- T1557.003 DHCP Spoofing Credential Access, Collection
- T1564.009 Resource Forking Stealth
- T1570 Lateral Tool Transfer Lateral Movement
- T1572 Protocol Tunneling Command And Control
- T1599 Network Boundary Bridging Defense Impairment
- T1599.001 Network Address Translation Traversal Defense Impairment
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
- T1622 Debugger Evasion Stealth, Discovery
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 50,384 | Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability. |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Filtering output to only permitted content stops unintended disclosure of sensitive information to unauthorized actors. |
CWE-532 | Insertion of Sensitive Information into Log File | 1,378 | Checking application output against expected content catches insertion of sensitive values into log streams or files. |
CWE-209 | Generation of Error Message Containing Sensitive Information | 642 | Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors. |
CWE-116 | Improper Encoding or Escaping of Output | 450 | Validating that output matches expected content directly mitigates failures to properly encode or escape data for its destination context. |
CWE-117 | Improper Output Neutralization for Logs | 95 | Requiring output to conform to expected content prevents unneutralized data from reaching logs. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-27915 KEV | 4.6 | 5.4 | 0.2605 | good |
CVE-2025-44136 | 2.7 | 9.8 | 0.1302 | good |
CVE-2025-24459 | 2.3 | 4.6 | 0.2230 | good |
CVE-2025-50738 | 2.3 | 9.8 | 0.0538 | good |
CVE-2025-0314 | 2.2 | 8.7 | 0.0790 | good |
CVE-2024-10441 | 2.1 | 9.8 | 0.0189 | good |
CVE-2024-57686 | 2.0 | 9.8 | 0.0098 | good |
CVE-2026-40470 | 2.0 | 9.9 | 0.0005 | good |
CVE-2026-40472 | 2.0 | 9.9 | 0.0005 | good |
CVE-2025-14320 | 2.0 | 9.8 | 0.0005 | good |
CVE-2026-25996 | 2.0 | 9.8 | 0.0008 | good |
CVE-2026-22792 | 1.9 | 9.6 | 0.0044 | good |
CVE-2025-30223 | 1.9 | 9.3 | 0.0034 | good |
CVE-2026-29183 | 1.9 | 9.3 | 0.0040 | good |
CVE-2026-34932 | 1.9 | 9.3 | 0.0001 | good |
CVE-2026-33136 | 1.9 | 9.3 | 0.0005 | good |
CVE-2025-66024 | 1.9 | 9.0 | 0.0086 | good |
CVE-2026-32754 | 1.9 | 9.3 | 0.0008 | good |
CVE-2026-31845 | 1.9 | 9.3 | 0.0002 | good |
CVE-2025-66481 | 1.9 | 9.6 | 0.0021 | good |
CVE-2024-56289 | 1.9 | 7.1 | 0.0755 | good |
CVE-2026-32940 | 1.9 | 9.3 | 0.0009 | good |
CVE-2025-0376 | 1.9 | 8.7 | 0.0237 | good |
CVE-2026-30928 | 1.9 | 7.5 | 0.0641 | good |
CVE-2026-42090 | 1.9 | 9.6 | 0.0016 | good |