CWE · MITRE source
CWE-552Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.
Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (18)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
PM-1 | Information Security Program Plan | PM | Explicit protection requirements make it harder for the plan document to remain accessible to external parties or unauthorized spheres. |
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Procedures ensure CUI files and resources are not made accessible to external parties without required protections. |
PM-5 | System Inventory | PM | Enumerating systems surfaces externally reachable resources that would otherwise remain unmonitored and accessible. |
CM-10 | Software Usage Restrictions | CM | Controlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution. |
CM-12 | Information Location | CM | Identifying and documenting file and directory locations allows restriction of access to external parties. |
MP-1 | Policy and Procedures | MP | Policy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors. |
MP-2 | Media Access | MP | Media access restrictions prevent files or directories from being accessible to external parties. |
PE-17 | Alternate Work Site | PE | Employing and evaluating controls at documented alternate sites makes files and directories less likely to be accessible to external parties through physical or environmental weaknesses. |
PE-3 | Physical Access Control | PE | Controls access to facility areas (including publicly accessible zones) to prevent external parties from reaching internal resources or sensitive locations. |
SC-14 | Public Access Protections | SC | Prevents public exposure of files or directories that should not be reachable by unauthenticated parties. |
SC-26 | Decoys | SC | Decoy files and directories detect external access attempts and deflect attackers away from actual accessible resources. |
AC-22 | Publicly Accessible Content | AC | Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties. |
CP-9 | System Backup | CP | Protecting backup files ensures they are not accessible to external parties or unauthorized spheres. |
MA-2 | Controlled Maintenance | MA | Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties. |
RA-2 | Security Categorization | RA | Categorization results dictate which files and directories must be restricted, making unauthorized external access less likely. |
Show 3 more broadly-applicable controls
SA-6 | Software Usage Restrictions | SA | Explicit controls on peer-to-peer file sharing prevent files and directories from being made accessible to external parties without authorization. |
SI-20 | Tainting | SI | Detects improper removal of data from files or directories that are accessible to external parties. |
SR-7 | Supply Chain Operations Security | SR | Controls ensure files and directories holding supply-chain data are not left accessible to unauthorized actors. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-17519 KEV | 9.2 | 7.5 | 0.9433 | 2021-01-05 |
CVE-2016-3715 KEV | 8.1 | 5.5 | 0.8360 | 2016-05-05 |
CVE-2025-11371 KEV | 7.7 | 7.5 | 0.7008 | 2025-10-09 |
CVE-2023-50164 | 7.5 | 9.8 | 0.9286 | 2023-12-07 |
CVE-2021-39316 | 7.1 | 7.5 | 0.9353 | 2021-08-31 |
CVE-2024-6911 | 7.1 | 7.5 | 0.9332 | 2024-07-22 |
CVE-2023-33568 | 6.9 | 7.5 | 0.8984 | 2023-06-13 |
CVE-2024-53676 | 6.7 | 9.8 | 0.7930 | 2024-11-27 |
CVE-2023-2766 | 6.6 | 5.3 | 0.9182 | 2023-05-17 |
CVE-2017-16651 KEV | 5.8 | 7.8 | 0.3727 | 2017-11-09 |
CVE-2022-0656 | 5.6 | 7.5 | 0.6816 | 2022-04-25 |
CVE-2020-24312 | 5.4 | 7.5 | 0.6499 | 2020-08-26 |
CVE-2024-4836 | 5.3 | 7.5 | 0.6293 | 2024-07-02 |
CVE-2023-6114 | 5.2 | 7.5 | 0.6126 | 2023-12-26 |
CVE-2021-40149 | 5.0 | 5.9 | 0.6295 | 2022-07-17 |
CVE-2022-41343 | 4.8 | 7.5 | 0.5542 | 2022-09-25 |
CVE-2024-6209 | 4.5 | 10.0 | 0.4162 | 2024-07-05 |
CVE-2022-44356 | 4.3 | 7.5 | 0.4706 | 2022-11-29 |
CVE-2020-15175 | 3.7 | 7.4 | 0.3719 | 2020-10-07 |
CVE-2021-25741 | 3.7 | 8.8 | 0.3304 | 2021-09-20 |
CVE-2021-40150 | 3.6 | 7.5 | 0.3423 | 2022-07-17 |
CVE-2025-48928 KEV | 3.3 | 4.0 | 0.0829 | 2025-05-28 |
CVE-2025-68109 | 3.3 | 9.1 | 0.2544 | 2025-12-17 |
CVE-2023-6266 | 3.1 | 7.5 | 0.2677 | 2024-01-11 |
CVE-2009-10005 | 3.0 | 0.0 | 0.4961 | 2025-08-20 |