Cyber Posture

CWE · MITRE source

CWE-506Embedded Malicious Code

Abstraction: Class · CVEs in our corpus: 80

The product contains code that appears to be malicious in nature.

Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (35)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SR-1Policy and ProceduresSRSupply chain risk management procedures include controls to detect and prevent insertion of malicious code through suppliers and vendors.
SR-10Inspection of Systems or ComponentsSRDirect inspection of components can detect embedded malicious code inserted through supply-chain or runtime tampering.
SR-11Component AuthenticitySRCounterfeit components are a common vector for embedding malicious code; preventing their entry reduces this exposure.
SA-1Policy and ProceduresSAAcquisition procedures can prescribe integrity checks, code review, and provenance validation to reduce introduction of embedded malicious code.
SA-10Developer Configuration ManagementSARequiring documented, approved changes plus security flaw tracking makes undetected insertion of malicious code substantially harder.
SA-12Supply Chain ProtectionSAThe control mandates vetting suppliers and tamper detection, making it harder for malicious code to be embedded by upstream providers.
SC-18Mobile CodeSCMonitoring mobile code usage enables detection of embedded malicious code delivered through allowed mobile code channels.
SC-25Thin NodesSCReduced code footprint and storage make insertion or persistence of embedded malicious code far less feasible.
SC-29HeterogeneitySCEmbedding malicious code becomes far harder to achieve uniformly when components use heterogeneous languages, runtimes, and hardware.
CM-10Software Usage RestrictionsCMRestricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.
CM-11User-installed SoftwareCMThe control prevents users from installing software that contains embedded malicious code.
CM-8System Component InventoryCMRegular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.
SI-14Non-persistenceSIAny embedded malicious code or backdoor written into an instance is erased at termination, rendering persistence mechanisms ineffective across successive instances.
SI-3Malicious Code ProtectionSIDirectly detects and eradicates embedded malicious code at entry/exit points via periodic and real-time scans.
SI-7Software, Firmware, and Information IntegritySIUnauthorized insertion of malicious code into software or firmware is revealed by integrity monitoring.
Show 20 more broadly-applicable controls
SR-2Supply Chain Risk Management PlanSRA supply chain risk management plan requires vetting suppliers and components to prevent introduction of embedded malicious code throughout the system lifecycle.
SR-3Supply Chain Controls and ProcessesSRIdentifying weaknesses and applying supplier controls reduces the likelihood of embedded malicious code being introduced through procured elements.
SR-4ProvenanceSRValid provenance monitoring makes insertion of embedded malicious code during supply chain or development stages detectable.
SR-5Acquisition Strategies, Tools, and MethodsSRAcquisition strategies can require trusted suppliers, code reviews, and integrity attestations that directly reduce the likelihood of receiving components with embedded malicious code.
SR-6Supplier Assessments and ReviewsSRReviews of suppliers and their deliverables can detect or deter introduction of embedded malicious code.
SR-8Notification AgreementsSRNotification agreements enable suppliers to alert acquirers to discovered or suspected embedded malicious code, directly supporting detection and response.
SR-9Tamper Resistance and DetectionSRTamper detection mechanisms can identify embedded malicious code inserted via supply-chain or runtime tampering.
SA-13TrustworthinessSADirectly reduces risk of embedded malicious code by requiring verification that acquired or developed components perform only as specified without hidden malicious behavior.
SA-19Component AuthenticitySAAuthenticity verification and anti-counterfeit procedures detect and block components that may contain embedded malicious code or backdoors.
SA-20Customized Development of Critical ComponentsSAIn-house development of critical components eliminates the attack surface of vendor-embedded malicious code.
SA-21Developer ScreeningSAScreening developers for trustworthiness and appropriate authorizations directly reduces the likelihood that a malicious insider will intentionally embed malicious code during development.
SA-6Software Usage RestrictionsSAMandating only contract-approved software reduces the chance of introducing binaries that contain embedded malicious code.
SC-34Non-modifiable Executable ProgramsSCPrevents embedding or persistence of malicious code in the OS or specified applications since the media cannot be written.
SC-44Detonation ChambersSCDetonation chambers directly detect and analyze embedded malicious code by executing it in isolation before it reaches production systems.
RA-10Threat HuntingRAThe capability explicitly searches for embedded malicious code and backdoors as indicators of compromise.
RA-6Technical Surveillance Countermeasures SurveyRATSCM directly targets and removes embedded malicious hardware or code planted for ongoing technical surveillance.
CP-10System Recovery and ReconstitutionCPReverting to a known state removes any malicious code embedded by an attacker.
MA-3Maintenance ToolsMAThe approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.
PM-30Supply Chain Risk Management StrategyPMSupply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.
PS-2Position Risk DesignationPSBackground screening for development or deployment roles makes intentional insertion of malicious code by insiders materially harder to accomplish.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-30066 KEV9.28.60.91832025-03-15
CVE-2024-30947.110.00.85062024-03-29
CVE-2025-59374 KEV6.09.80.34752025-12-17
CVE-2025-30154 KEV5.88.60.33992025-03-19
CVE-2026-33634 KEV4.88.80.16832026-03-23
CVE-2024-4978 KEV4.58.40.14152024-05-23
CVE-2025-54313 KEV4.27.50.11622025-07-19
CVE-2017-161282.09.80.00322018-06-07
CVE-2026-319762.09.80.00082026-03-11
CVE-2026-348412.09.80.00032026-04-06
CVE-2026-344242.09.80.00242026-04-09
CVE-2026-64432.09.80.00062026-04-17
CVE-2020-151651.99.30.00202020-08-28
CVE-2025-108941.99.60.00082025-09-24
CVE-2023-20031.89.10.00342023-07-13
CVE-2017-160471.57.50.00322018-05-29
CVE-2017-160611.57.50.00262018-05-29
CVE-2017-160621.57.50.00262018-05-29
CVE-2017-160441.57.50.00262018-06-04
CVE-2017-160451.57.50.00262018-06-04
CVE-2017-160461.57.50.00262018-06-04
CVE-2017-160481.57.50.00262018-06-04
CVE-2017-160491.57.50.00262018-06-04
CVE-2017-160501.57.50.00262018-06-04
CVE-2017-160511.57.50.00332018-06-04