NIST 800-53 r5 · Controls catalogue · Family SI
SI-2Flaw Remediation
Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and Incorporate flaw remediation into the organizational configuration management process.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (1)
- aws-config-rds-automatic-minor-version-upgrade-enabled RDS instances have minor version auto-upgrade AWS::RDS::DBInstance partial
ATT&CK techniques this control mitigates (84)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1027 Obfuscated Files or Information Stealth
- T1027.002 Software Packing Stealth
- T1027.007 Dynamic API Resolution Stealth
- T1027.008 Stripped Payloads Stealth
- T1027.009 Embedded Payloads Stealth
- T1047 Windows Management Instrumentation Execution
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.001 Dynamic-link Library Injection Stealth, Privilege Escalation
- T1055.002 Portable Executable Injection Stealth, Privilege Escalation
- T1055.003 Thread Execution Hijacking Stealth, Privilege Escalation
- T1055.004 Asynchronous Procedure Call Stealth, Privilege Escalation
- T1055.005 Thread Local Storage Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1055.011 Extra Window Memory Injection Stealth, Privilege Escalation
- T1055.012 Process Hollowing Stealth, Privilege Escalation
- T1055.013 Process Doppelgänging Stealth, Privilege Escalation
- T1055.014 VDSO Hijacking Stealth, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.005 Visual Basic Execution
- T1059.006 Python Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1106 Native API Execution
- T1137 Office Application Startup Persistence
- T1137.003 Outlook Forms Persistence
- T1137.004 Outlook Home Page Persistence
- T1137.005 Outlook Rules Persistence
- T1189 Drive-by Compromise Initial Access
- T1190 Exploit Public-Facing Application Initial Access
- T1195 Supply Chain Compromise Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.002 Compromise Software Supply Chain Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1203 Exploitation for Client Execution Execution
- T1204 User Execution Execution
- T1204.001 Malicious Link Execution
- T1204.003 Malicious Image Execution
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
- T1213.003 Code Repositories Collection
- T1213.005 Messaging Applications Collection
- T1221 Template Injection Stealth
- T1495 Firmware Corruption Impact
- T1525 Implant Internal Image Persistence
- T1542 Pre-OS Boot Stealth, Persistence
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | 736 | Flaw remediation replaces broken or risky cryptographic algorithms once safer implementations are released by vendors. |
CWE-326 | Inadequate Encryption Strength | 513 | Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security. |
CWE-328 | Use of Weak Hash | 58 | Security updates supplant weak hashing algorithms with stronger alternatives before attackers can exploit the original weakness. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Timely identification and installation of updates directly prevents use of unmaintained third-party components whose known flaws remain exploitable. |
CWE-477 | Use of Obsolete Function | 16 | Software and firmware updates replace obsolete functions whose retained presence leaves systems exposed to publicly known weaknesses. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2024-50603 KEV | 9.7 | 10.0 | 0.9436 | good |
CVE-2024-13160 KEV | 9.6 | 9.8 | 0.9381 | good |
CVE-2025-24016 KEV | 9.6 | 9.9 | 0.9351 | good |
CVE-2025-24893 KEV | 9.6 | 9.8 | 0.9366 | good |
CVE-2024-13159 KEV | 9.6 | 9.8 | 0.9396 | good |
CVE-2024-55591 KEV | 9.6 | 9.8 | 0.9406 | good |
CVE-2024-53704 KEV | 9.6 | 9.8 | 0.9386 | good |
CVE-2025-24813 KEV | 9.6 | 9.8 | 0.9414 | good |
CVE-2025-47812 KEV | 9.6 | 10.0 | 0.9284 | good |
CVE-2026-24061 KEV | 9.5 | 9.8 | 0.9230 | good |
CVE-2025-64446 KEV | 9.5 | 9.8 | 0.9291 | good |
CVE-2025-0282 KEV | 9.4 | 9.0 | 0.9413 | good |
CVE-2024-48248 KEV | 9.4 | 8.6 | 0.9401 | good |
CVE-2024-13161 KEV | 9.4 | 9.8 | 0.9132 | good |
CVE-2025-2747 KEV | 9.4 | 9.8 | 0.9126 | good |
CVE-2025-61882 KEV | 9.3 | 9.8 | 0.8938 | good |
CVE-2025-2746 KEV | 9.3 | 9.8 | 0.8973 | good |
CVE-2025-53770 KEV | 9.3 | 9.8 | 0.8854 | good |
CVE-2025-40551 KEV | 9.2 | 9.8 | 0.8667 | good |
CVE-2025-61757 KEV | 9.2 | 9.8 | 0.8783 | good |
CVE-2025-52691 KEV | 9.2 | 10.0 | 0.8640 | good |
CVE-2024-57727 KEV | 9.1 | 7.5 | 0.9402 | good |
CVE-2025-37164 KEV | 9.1 | 10.0 | 0.8521 | good |
CVE-2026-1731 KEV | 8.9 | 9.8 | 0.8150 | good |
CVE-2026-1281 KEV | 8.9 | 9.8 | 0.8213 | good |