OWASP_TOP10A06:2021voice-validated
OWASP_TOP10 A06: A06:2021
OWASP_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Likely vulnerable if: you do not know the versions of all components used (both client- and server-side), software is vulnerable, unsupported, or out of date (OS, web/application server, DBMS, applications, APIs, runtime environments, libraries), you do not scan for vulnerabilities regularly, you do not fix or upgrade the underlying platform/frameworks/dependencies in a risk-based, timely fashion.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. This technique directly exploits known vulnerabilities in public-facing outdated components, aligning with the control's focus on vulnerable software. | 100% |
| T1068 | 1. Attackers exploit vulnerabilities in outdated system components to achieve privilege escalation, a direct consequence of unpatched software. | 90% |
| T1574 | 1. Vulnerable libraries or components can be hijacked to execute malicious code, enabling attackers to control program flow. | 80% |
| T1547 | 1. Exploiting flaws in system startup components allows attackers to establish persistence, ensuring continued access after reboots. | 80% |
| T1003 | 1. Outdated operating system components often contain vulnerabilities that permit credential dumping, exposing sensitive authentication data. | 90% |
| T1082 | 1. Vulnerabilities in components can be exploited to gather extensive system information, aiding further attack planning. | 90% |
| T1018 | 1. Exploiting network service vulnerabilities in outdated components facilitates remote system discovery, mapping the target environment. | 70% |
| T1021 | 1. Vulnerable remote services, often found in outdated components, are exploited for lateral movement across networks. | 80% |
| T1005 | 1. File system or application component vulnerabilities enable unauthorized access and collection of sensitive local data. | 80% |
| T1071 | 1. Vulnerabilities in application layer components, such as web servers, are used to establish command and control communications. | 70% |
| T1041 | 1. Exploiting vulnerable components allows data exfiltration over established command and control channels, bypassing security measures. | 70% |
| T1499 | 1. Web server or application component vulnerabilities are frequently exploited to deface websites, causing reputational damage. | 80% |
| T1486 | 1. System or application vulnerabilities are exploited to deploy ransomware, encrypting data for impact and financial gain. | 90% |
| T1218 | 1. Vulnerable legitimate system binaries can be used as proxies to execute malicious code, evading detection. | 70% |
| T1552 | 1. Outdated applications often store credentials insecurely, making them vulnerable to direct access by attackers. | 90% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1051 | 1. Updating all software components to their latest versions directly addresses the risk of vulnerable and outdated components, as specified in A06:2021. | 100% |
| M1050 | 1. Regular vulnerability scanning identifies known flaws in components, enabling proactive remediation and adherence to A06:2021 requirements. | 100% |
| M1048 | 1. Implementing robust patch management ensures timely application of security updates to all components, mitigating risks outlined in A06:2021. | 100% |
| M1031 | 1. Network intrusion prevention systems detect and block exploit attempts targeting vulnerable components, reducing the attack surface. | 80% |
| M1028 | 1. Secure configuration of operating systems and other components reduces the likelihood of exploitation, complementing component updates. | 90% |
| M1035 | 1. Limiting access to resources and components minimizes the exposure of vulnerable software, restricting potential attack vectors. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-1104 | 1. This CWE directly describes the use of unmaintained third-party components, which is the core issue highlighted by OWASP A06:2021. | 100% |
| CWE-20 | 1. Improper input validation is a fundamental flaw in many outdated components, leading to various exploitation opportunities. | 90% |
| CWE-119 | 1. Buffer overflows are common in older, unpatched components, allowing attackers to execute arbitrary code or cause denial of service. | 90% |
| CWE-502 | 1. Deserialization of untrusted data is a frequent vulnerability in application components, enabling remote code execution. | 80% |
| CWE-200 | 1. Outdated components often suffer from information exposure flaws, leaking sensitive data to unauthorized actors. | 90% |
| CWE-327 | 1. The use of broken or risky cryptographic algorithms is prevalent in older components, compromising data confidentiality and integrity. | 80% |
| CWE-863 | 1. Incorrect authorization in outdated components can allow unauthorized users to access or modify resources, violating security policies. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0168 compute · voice-rubric self-validated