CWE · MITRE source
CWE-15External Control of System or Configuration Setting
One or more system settings or configuration elements can be externally controlled by a user.
Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (9)AI
Showing the 5 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CM-1 | Policy and Procedures | CM | The policy and procedures establish internal controls and change management for system configuration settings, reducing the feasibility of external unauthorized modifications. |
CM-2 | Baseline Configuration | CM | Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings. |
CM-3 | Configuration Change Control | CM | Requires approval, documentation, and security impact review of all configuration changes, directly preventing unauthorized external control of system settings. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Vulnerability scanners directly detect externally controllable or misconfigured settings using standardized checklists. |
SI-22 | Information Diversity | SI | Provides fallback sources for configuration or settings when the primary is externally corrupted or controlled. |
Show 4 more broadly-applicable controls
CM-4 | Impact Analyses | CM | Impact analysis of configuration changes reduces the risk of deploying settings that permit unauthorized external control. |
CM-5 | Access Restrictions for Change | CM | Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval. |
CM-6 | Configuration Settings | CM | Establishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings. |
CM-9 | Configuration Management Plan | CM | The plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2023-43323 | 6.1 | 6.5 | 0.8080 | 2023-09-28 |
CVE-2023-50252 | 2.2 | 8.3 | 0.0963 | 2023-12-12 |
CVE-2024-10979 | 2.2 | 8.8 | 0.0686 | 2024-11-14 |
CVE-2024-38666 | 2.2 | 9.1 | 0.0585 | 2025-01-14 |
CVE-2024-39280 | 2.2 | 9.1 | 0.0585 | 2025-01-14 |
CVE-2023-46248 | 2.0 | 9.0 | 0.0328 | 2023-10-31 |
CVE-2024-4326 | 2.0 | 9.8 | 0.0065 | 2024-05-16 |
CVE-2026-22708 | 2.0 | 9.8 | 0.0007 | 2026-01-14 |
CVE-2024-51544 | 1.9 | 8.2 | 0.0419 | 2024-12-05 |
CVE-2021-38453 | 1.8 | 9.1 | 0.0025 | 2021-10-22 |
CVE-2021-27406 | 1.8 | 8.8 | 0.0027 | 2022-10-14 |
CVE-2024-39602 | 1.8 | 9.1 | 0.0040 | 2025-01-14 |
CVE-2024-39788 | 1.8 | 9.1 | 0.0004 | 2025-01-14 |
CVE-2024-39789 | 1.8 | 9.1 | 0.0005 | 2025-01-14 |
CVE-2024-39790 | 1.8 | 9.1 | 0.0004 | 2025-01-14 |
CVE-2024-39793 | 1.8 | 9.1 | 0.0004 | 2025-01-14 |
CVE-2024-39794 | 1.8 | 9.1 | 0.0005 | 2025-01-14 |
CVE-2024-39795 | 1.8 | 9.1 | 0.0004 | 2025-01-14 |
CVE-2024-39798 | 1.8 | 9.1 | 0.0035 | 2025-01-14 |
CVE-2024-39799 | 1.8 | 9.1 | 0.0035 | 2025-01-14 |
CVE-2024-39800 | 1.8 | 9.1 | 0.0035 | 2025-01-14 |
CVE-2024-51543 | 1.7 | 8.2 | 0.0029 | 2024-12-05 |
CVE-2026-27203 | 1.7 | 8.3 | 0.0002 | 2026-02-21 |
CVE-2026-41294 | 1.7 | 8.6 | 0.0001 | 2026-04-21 |
CVE-2021-31338 | 1.6 | 7.8 | 0.0005 | 2021-08-19 |