BaseDraft

CWE-494Download of Code Without Integrity Check

Category: other

Description

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.

Common consequences· 1

  • Integrity / Availability / Confidentiality / Other — Execute Unauthorized Code or Commands, Alter Execution Logic, Other
    Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.

Potential mitigations· 5

  • [Implementation]Perform proper forward and reverse DNS lookups to detect DNS spoofing.
  • [Architecture and Design, Operation]
  • [Architecture and Design]
  • [Architecture and Design, Operation]Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
  • [Architecture and Design, Operation]

Related CAPEC attack patterns· 12

CAPEC-184CAPEC-185CAPEC-186CAPEC-187CAPEC-533CAPEC-538CAPEC-657CAPEC-662CAPEC-691CAPEC-692CAPEC-693CAPEC-695

References

  1. https://cwe.mitre.org/data/definitions/494.html

Exploits (incoming)12

TypeTargetConfidenceTier
AttackPatternAdversary in the Browser (AiTB)capec-662100%live
AttackPatternOpen-Source Library Manipulationcapec-538100%live
AttackPatternMalicious Automated Software Update via Spoofingcapec-657100%live
AttackPatternMalicious Automated Software Update via Redirectioncapec-187100%live
AttackPatternMalicious Software Downloadcapec-185100%live
AttackPatternSpoof Version Control System Commit Metadatacapec-692100%live
AttackPatternStarJackingcapec-693100%live
AttackPatternRepo Jackingcapec-695100%live
AttackPatternMalicious Manual Software Updatecapec-533100%live
AttackPatternMalicious Software Updatecapec-186100%live
AttackPatternSoftware Integrity Attackcapec-184100%live
AttackPatternSpoof Open-Source Software Metadatacapec-691100%live

Compliance frameworks addressing this (incoming)2

TypeTargetConfidenceTier
ComplianceControlowasp_top10-a08100%live
ComplianceControlowasp_llm_top10-llm03100%live

(incoming)31

TypeTargetConfidenceTier
VulnerabilityCVE-2025-1058cve-2025-10580%live
VulnerabilityCVE-2025-14265cve-2025-142650%live
VulnerabilityNotepad++ Download of Code Without Integrity Check Vulnerabilitycve-2025-155560%live
VulnerabilityCVE-2025-27593cve-2025-275930%live
VulnerabilityCVE-2025-28236cve-2025-282360%live
VulnerabilityCVE-2025-31355cve-2025-313550%live
VulnerabilityCVE-2025-34212cve-2025-342120%live
VulnerabilityCVE-2025-35115cve-2025-351150%live
VulnerabilityCVE-2025-40604cve-2025-406040%live
VulnerabilityCVE-2025-52263cve-2025-522630%live
VulnerabilityCVE-2025-53520cve-2025-535200%live
VulnerabilityCVE-2025-56513cve-2025-565130%live
VulnerabilityCVE-2025-57431cve-2025-574310%live
VulnerabilityCVE-2025-63434cve-2025-634340%live
VulnerabilityCVE-2025-69263cve-2025-692630%live
VulnerabilityCVE-2025-7620cve-2025-76200%live
VulnerabilityCVE-2026-27180cve-2026-271800%live
VulnerabilityCVE-2026-28500cve-2026-285000%live
VulnerabilityCVE-2026-2999cve-2026-29990%live
VulnerabilityCVE-2026-3000cve-2026-30000%live
VulnerabilityCVE-2026-33075cve-2026-330750%live
VulnerabilityCVE-2026-34841cve-2026-348410%live
VulnerabilityTrueConf Client Download of Code Without Integrity Check Vulnerabilitycve-2026-35020%live
VulnerabilityCVE-2026-40066cve-2026-400660%live
VulnerabilityCVE-2026-42248cve-2026-422480%live
VulnerabilityCVE-2026-42249cve-2026-422490%live
VulnerabilityCVE-2026-9089cve-2026-90890%live
KEVEntryFortinet FortiOS Arbitrary File Downloadkev-cve-2021-441680%live
KEVEntryD-Link DNR-322L Download of Code Without Integrity Check Vulnerabilitykev-cve-2022-407990%live
KEVEntryNotepad++ Download of Code Without Integrity Check Vulnerabilitykev-cve-2025-155560%live

Showing top 30 of 31 by confidence. Click any target to see the full neighbourhood.

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Dependency on Vulnerable Third-Party Component
CWE
Improper Control of Generation of Code ('Code Injection')
CWE
Inclusion of Functionality from Untrusted Control Sphere
CWE
Reliance on Insufficiently Trustworthy Component
CWE
Improper Verification of Source of a Communication Channel
CWE
Use of Hard-coded Credentials
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.