BaseIncomplete

CWE-15External Control of System or Configuration Setting

Category: config

Description

One or more system settings or configuration elements can be externally controlled by a user. Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.

Common consequences· 1

  • Other — Varies by Context

Potential mitigations· 3

  • [Architecture and Design]
  • [Implementation, Architecture and Design]Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
  • [Implementation, Architecture and Design]In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.

Related CAPEC attack patterns· 10

CAPEC-13CAPEC-146CAPEC-176CAPEC-203CAPEC-270CAPEC-271CAPEC-579CAPEC-69CAPEC-76CAPEC-77

References

  1. https://cwe.mitre.org/data/definitions/15.html

Exploits (incoming)10

TypeTargetConfidenceTier
AttackPatternManipulating User-Controlled Variablescapec-77100%live
AttackPatternReplace Winlogon Helper DLLcapec-579100%live
AttackPatternConfiguration/Environment Manipulationcapec-176100%live
AttackPatternSubverting Environment Variable Valuescapec-13100%live
AttackPatternModification of Registry Run Keyscapec-270100%live
AttackPatternXML Schema Poisoningcapec-146100%live
AttackPatternManipulate Registry Informationcapec-203100%live
AttackPatternTarget Programs with Elevated Privilegescapec-69100%live
AttackPatternManipulating Web Input to File System Callscapec-76100%live
AttackPatternSchema Poisoningcapec-271100%live

(incoming)8

TypeTargetConfidenceTier
VulnerabilityCVE-2025-27889cve-2025-278890%live
VulnerabilityCVE-2026-22177cve-2026-221770%live
VulnerabilityCVE-2026-22708cve-2026-227080%live
VulnerabilityCVE-2026-27203cve-2026-272030%live
VulnerabilityCVE-2026-35650cve-2026-356500%live
VulnerabilityCVE-2026-41294cve-2026-412940%live
VulnerabilityCVE-2026-41489cve-2026-414890%live
VulnerabilityCVE-2026-43531cve-2026-435310%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
External Control of Critical State Data
CWE
Reliance on Untrusted Inputs in a Security Decision
CWE
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE
Lack of Administrator Control over Security
CWE
External Initialization of Trusted Variables or Data Stores
CWE
Process Control
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.