CWE · MITRE source
CWE-1104Use of Unmaintained Third Party Components
The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (33)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-1 | Policy and Procedures | SA | Policy can require pre-acquisition evaluation of third-party component maintenance status, support lifecycle, and update commitments. |
SA-10 | Developer Configuration Management | SA | Configuration management and explicit tracking of security flaws require identification and remediation of unmaintained or vulnerable third-party components. |
SA-12 | Supply Chain Protection | SA | Supply chain risk management includes supplier assessments that favor maintained and supported third-party components. |
SR-1 | Policy and Procedures | SR | Procedures mandate ongoing assessment of third-party component support status and maintenance, making use of unmaintained components less likely. |
SR-2 | Supply Chain Risk Management Plan | SR | Supply chain planning includes ongoing evaluation of third-party component support and viability, making use of unmaintained components less likely. |
SR-3 | Supply Chain Controls and Processes | SR | Supply chain risk management processes include evaluation and replacement of unmaintained third-party components that introduce exploitable weaknesses. |
PM-15 | Security and Privacy Groups and Associations | PM | Contact with security communities directly informs personnel of unmaintained components and their vulnerabilities, reducing the likelihood of their continued use. |
PM-16 | Threat Awareness Program | PM | Threat intelligence sharing directly informs organizations of newly discovered vulnerabilities and exploitation in third-party components, enabling timely updates or replacement before attackers can leverage them. |
PM-3 | Information Security and Privacy Resources | PM | Resource allocation in investment requests funds regular maintenance, patching, and updates of third-party components. |
MA-1 | Policy and Procedures | MA | The maintenance policy requires regular updates and upkeep of systems and third-party components, directly reducing the presence of unmaintained software that attackers can exploit. |
MA-6 | Timely Maintenance | MA | Requiring quick access to maintenance support and spare parts after failure necessitates using actively supported components rather than unmaintained third-party ones. |
RA-4 | Risk Assessment Update | RA | Periodic risk assessment updates directly detect when third-party components become unmaintained, prompting removal or replacement before attackers can exploit known vulnerabilities. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Regular scanning with updatable vulnerability feeds directly identifies unmaintained third-party components. |
SC-25 | Thin Nodes | SC | Fewer components and services mean reduced attack surface from unmaintained third-party code. |
SC-29 | Heterogeneity | SC | Using multiple distinct technologies reduces systemic dependence on any single third-party component and its potential unmaintained vulnerabilities. |
Show 18 more broadly-applicable controls
SA-13 | Trustworthiness | SA | Makes use of unmaintained third-party components less likely by requiring ongoing trustworthiness assessment of dependencies and suppliers. |
SA-15 | Development Process, Standards, and Tools | SA | Tool and standards review plus change-integrity requirements reduce selection and continued use of unmaintained third-party components. |
SA-19 | Component Authenticity | SA | Requires use of trusted, maintained suppliers and configuration control, making use of unmaintained third-party components far less likely. |
SA-2 | Allocation of Resources | SA | Dedicated security line items in budgets enable ongoing maintenance, patching, and replacement of third-party components that would otherwise be left unmaintained due to lack of allocated resources. |
SA-20 | Customized Development of Critical Components | SA | Custom development replaces unmaintained third-party components with internally controlled code for critical functions. |
SA-22 | Unsupported System Components | SA | Directly prevents continued use of components that receive no further security updates or patches from the vendor. |
SA-3 | System Development Life Cycle | SA | Acquisition and development under a security-aware SDLC includes evaluation of third-party components for maintenance status and known weaknesses before integration. |
SA-4 | Acquisition Process | SA | Explicit supply-chain risk management and acceptance criteria in acquisition contracts directly reduce procurement of unmaintained third-party components. |
SA-6 | Software Usage Restrictions | SA | License and contract compliance requirements can enforce use of only supported, maintained third-party components. |
SR-4 | Provenance | SR | Provenance records include supplier and lifecycle details, enabling ongoing monitoring to avoid unmaintained third-party components. |
SR-5 | Acquisition Strategies, Tools, and Methods | SR | Contract tools and acquisition criteria can explicitly require ongoing vendor support, patching commitments, and avoidance of unmaintained third-party components. |
SR-6 | Supplier Assessments and Reviews | SR | Assessments evaluate supplier maintenance practices, lowering exposure to unmaintained third-party components. |
SR-8 | Notification Agreements | SR | Notification procedures can mandate alerts when third-party components reach end-of-life or lose support, reducing prolonged use of vulnerable components. |
PM-30 | Supply Chain Risk Management Strategy | PM | Organization-wide SCRM policy includes ongoing evaluation of third-party component support lifecycles to avoid unmaintained dependencies. |
SI-2 | Flaw Remediation | SI | Timely identification and installation of updates directly prevents use of unmaintained third-party components whose known flaws remain exploitable. |
SI-5 | Security Alerts, Advisories, and Directives | SI | Ongoing receipt and implementation of security advisories directly enables timely replacement or mitigation of unmaintained third-party components before known vulnerabilities are exploited. |
AT-5 | Contacts with Security Groups and Associations | AT | Security groups frequently discuss maintenance status of third-party components, aiding identification and avoidance of unmaintained ones. |
CM-8 | System Component Inventory | CM | Maintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2023-7102 | 2.5 | 9.8 | 0.0891 | 2023-12-24 |
CVE-2025-40906 | 2.0 | 9.8 | 0.0060 | 2025-05-16 |
CVE-2025-10220 | 2.0 | 9.8 | 0.0089 | 2025-09-10 |
CVE-2025-34192 | 2.0 | 9.8 | 0.0056 | 2025-09-19 |
CVE-2025-34193 | 2.0 | 9.8 | 0.0029 | 2025-09-19 |
CVE-2025-12104 | 2.0 | 9.8 | 0.0035 | 2025-10-23 |
CVE-2022-46871 | 1.8 | 8.8 | 0.0099 | 2022-12-22 |
CVE-2024-35252 | 1.8 | 7.5 | 0.0540 | 2024-06-11 |
CVE-2024-8885 | 1.8 | 8.8 | 0.0004 | 2024-10-02 |
CVE-2024-11999 | 1.8 | 8.8 | 0.0035 | 2024-12-17 |
CVE-2025-3497 | 1.8 | 8.7 | 0.0044 | 2025-07-09 |
CVE-2026-41468 | 1.7 | 8.7 | 0.0007 | 2026-04-22 |
CVE-2025-20010 | 1.6 | 7.8 | 0.0005 | 2025-11-11 |
CVE-2025-48862 | 1.4 | 7.1 | 0.0002 | 2025-08-14 |
CVE-2021-22142 | 1.3 | 6.6 | 0.0047 | 2023-11-22 |
CVE-2024-21631 | 1.3 | 6.5 | 0.0031 | 2024-01-03 |
CVE-2025-52658 | 0.7 | 3.5 | 0.0008 | 2025-10-03 |
CVE-2025-55277 | 0.5 | 2.6 | 0.0002 | 2026-03-26 |