Home/CWE/External Control of System or Configuration Setting
Weakness

External Control of System or Configuration Setting

CWE-15 · Base · Incomplete

One or more system settings or configuration elements can be externally controlled by a user.

Extended description

Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-20 · Improper Input Validation
ChildOfCWE-610 · Externally Controlled Reference to a Resource in Another Sphere
ChildOfCWE-642 · External Control of Critical State Data

Attack Patterns (CAPEC)

10
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-13Subverting Environment Variable Values
CAPEC-146XML Schema Poisoning
CAPEC-176Configuration/Environment Manipulation
CAPEC-203Manipulate Registry Information
CAPEC-270Modification of Registry Run Keys
CAPEC-271Schema Poisoning
CAPEC-579Replace Winlogon Helper DLL
CAPEC-69Target Programs with Elevated Privileges
CAPEC-76Manipulating Web Input to File System Calls
CAPEC-77Manipulating User-Controlled Variables

CVEs With This Weakness

60
A sample of the 60 CVEs tagged with this weakness.
CVECVE-2026-43531
CVECVE-2026-41489
CVECVE-2026-41384
CVECVE-2026-41294
CVECVE-2026-35650
CVECVE-2026-33092
CVECVE-2026-30817
CVECVE-2026-30816
CVECVE-2026-27203
CVECVE-2026-22750
CVECVE-2026-22708
CVECVE-2026-22177

Nuclei Scanner Templates

3
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalJolokia file write to RCE jfr
criticalApache Solr 9.1 - Remote Code Execution
unknownSymfony _fragment - Detect
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin