CWE · MITRE source
CWE-494Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (23)AI
Showing the 13 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SR-1 | Policy and Procedures | SR | Policy establishes requirements for integrity verification of acquired software and updates, preventing download and use of code lacking integrity checks. |
SR-10 | Inspection of Systems or Components | SR | Post-download inspection serves as a compensating control that detects code tampering when integrity checks were not performed at acquisition time. |
SR-11 | Component Authenticity | SR | Detecting counterfeits requires integrity verification of received components before acceptance. |
SA-10 | Developer Configuration Management | SA | Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation. |
SA-12 | Supply Chain Protection | SA | Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery. |
SA-13 | Trustworthiness | SA | Reduces exposure to code obtained without integrity verification by requiring assurance processes that confirm authenticity and absence of tampering. |
CM-11 | User-installed Software | CM | Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads. |
CM-14 | Signed Components | CM | Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks. |
SC-18 | Mobile Code | SC | Authorizing and controlling mobile code requires verifying origin and integrity before download/execution, directly preventing this weakness. |
SC-35 | External Malicious Code Identification | SC | Proactive network scanning for malicious code directly detects and blocks downloads that lack integrity verification. |
SI-3 | Malicious Code Protection | SI | Performs real-time scans of downloaded code, mitigating risks from downloads lacking integrity checks. |
SI-7 | Software, Firmware, and Information Integrity | SI | Explicitly detects code or firmware that was obtained or altered without an integrity check. |
PM-30 | Supply Chain Risk Management Strategy | PM | Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code. |
Show 10 more broadly-applicable controls
SR-2 | Supply Chain Risk Management Plan | SR | The plan typically requires integrity verification steps for acquired code and components, directly addressing downloads lacking integrity checks. |
SR-3 | Supply Chain Controls and Processes | SR | Supply chain processes require integrity verification of acquired components, directly preventing download or incorporation of unverified code. |
SR-4 | Provenance | SR | Tracking provenance of components and code necessitates integrity verification, preventing downloads or inclusions without such checks. |
SR-5 | Acquisition Strategies, Tools, and Methods | SR | Acquisition strategies can stipulate that delivered code or firmware must be signed and integrity-checked, making downloads without verification contractually non-compliant. |
SR-6 | Supplier Assessments and Reviews | SR | Supply-chain reviews verify that suppliers implement integrity checks before code or components are accepted. |
SR-8 | Notification Agreements | SR | Suppliers can be contractually required to notify of integrity failures or required updates for delivered code, improving detection of tampering. |
SR-9 | Tamper Resistance and Detection | SR | Mandates integrity verification on system components, closing the gap that allows download without checks. |
SA-18 | Tamper Resistance and Detection | SA | Tamper resistance and detection commonly include integrity verification of code and firmware obtained from external sources. |
SA-19 | Component Authenticity | SA | Component authenticity requires verifying origin/integrity of acquired firmware or software, directly preventing inclusion of code without integrity checks. |
SA-4 | Acquisition Process | SA | Requiring integrity-protection mechanisms and assurance requirements in contracts prevents acquisition of code-download features lacking integrity checks. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-40799 KEV | 7.0 | 8.8 | 0.5389 | 2022-11-29 |
CVE-2020-5398 | 6.9 | 7.5 | 0.9018 | 2020-01-17 |
CVE-2026-27180 | 4.9 | 9.8 | 0.4880 | 2026-02-18 |
CVE-2025-15556 KEV | 3.9 | 7.5 | 0.0609 | 2026-02-03 |
CVE-2026-3502 KEV | 3.7 | 7.8 | 0.0275 | 2026-03-30 |
CVE-2025-68109 | 3.3 | 9.1 | 0.2544 | 2025-12-17 |
CVE-2021-44168 KEV | 2.7 | 3.3 | 0.0107 | 2022-01-04 |
CVE-2021-45027 | 2.5 | 7.5 | 0.1735 | 2022-09-01 |
CVE-2022-24644 | 2.4 | 8.8 | 0.1084 | 2022-03-10 |
CVE-2022-28944 | 2.4 | 8.8 | 0.1087 | 2022-05-23 |
CVE-2022-27438 | 2.4 | 8.1 | 0.1227 | 2022-06-06 |
CVE-2001-1125 | 2.2 | 9.8 | 0.0346 | 2001-10-05 |
CVE-2024-27438 | 2.1 | 9.8 | 0.0234 | 2024-03-21 |
CVE-2002-0671 | 2.0 | 9.8 | 0.0051 | 2002-07-23 |
CVE-2016-6567 | 2.0 | 9.8 | 0.0119 | 2018-07-13 |
CVE-2018-19234 | 2.0 | 8.8 | 0.0459 | 2018-12-20 |
CVE-2019-3801 | 2.0 | 9.8 | 0.0007 | 2019-04-25 |
CVE-2018-5409 | 2.0 | 9.8 | 0.0019 | 2019-05-08 |
CVE-2020-1210 | 2.0 | 9.9 | 0.0070 | 2020-09-11 |
CVE-2020-1595 | 2.0 | 9.9 | 0.0053 | 2020-09-11 |
CVE-2020-28332 | 2.0 | 9.8 | 0.0028 | 2020-11-24 |
CVE-2020-2320 | 2.0 | 9.8 | 0.0044 | 2020-12-03 |
CVE-2020-7883 | 2.0 | 9.8 | 0.0077 | 2021-12-28 |
CVE-2022-24117 | 2.0 | 9.8 | 0.0011 | 2022-12-26 |
CVE-2020-22654 | 2.0 | 9.8 | 0.0019 | 2023-01-20 |