CWE-1357: Reliance on Insufficiently Trustworthy Component
The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.
Last updated
Overview
Many modern hardware and software products are built by combining multiple smaller components together into one larger entity, often during the design or architecture phase. For example, a hardware component might be built by a separate supplier, or the product might use an open-source software library from a third party. Regardless of the source, each component should be sufficiently trusted to ensure correct, secure operation of the product. If a component is not trustworthy, it can produce significant risks for the overall product, such as vulnerabilities that cannot be patched fast enough (if at all); hidden functionality such as malware; inability to update or replace the component if needed for security purposes; hardware components built from parts that do not meet specifications in ways that can lead to weaknesses; etc. Note that a component might not be trustworthy even if it is owned by the product vendor, such as a software component whose source code is lost and was built by developers who left the company, or a component that was developed by a separate company that was acquired and brought into the product's own company. Note that there can be disagreement as to whether a component is sufficiently trustworthy, since trust is ultimately subjective. Different stakeholders (e.g., customers, vendors, governments) have various threat models and ways to assess trust, and design/architecture choices might make tradeoffs between security, reliability, safety, privacy, cost, and other characteristics.
Real-world CVEs
4 recorded CVEs are caused by CWE-1357 (Reliance on Insufficiently Trustworthy Component). The highest-severity and most recent are shown first. 0 new CWE-1357 CVEs have been recorded so far in 2026 (1 in 2025).
- CVE-2024-26024High · CVSS 8.6 · EPSS 11th2024-05-28
- CVE-2024-28042High · CVSS 8.6 · EPSS 11th2024-05-15
- CVE-2024-3313High · CVSS 8.6 · EPSS 17th2024-04-09
- CVE-2025-32800
Conda-build vulnerable to supply chain attack vector due to pyproject.toml referring to dependencies not present in PyPI
High · CVSS 7.2 · EPSS 42th2025-06-16
Common consequences
What can happen when CWE-1357 is exploited.
Reduce Maintainability
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1357, grouped by where in the lifecycle they apply.
For each component, ensure that its supply chain is well-controlled with sub-tier suppliers using best practices. For third-party software components such as libraries, ensure that they are developed and actively maintained by reputable vendors.
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Continue to monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, supplier practices that affect trustworthiness, etc.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
A refrigerator has an Internet interface for the official purpose of alerting the manufacturer when that refrigerator detects a fault. Because the device is attached to the Internet, the refrigerator is a target for hackers who may wish to use the device other potentially more nefarious purposes.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2020-9054CISA KEV— Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are "end-of-support" and cannot be patched (CWE-1277). [REF-1097]
Terminology & mappings
Mapped taxonomies
- ISA/IEC 62443: Req SP.03.02 RE(1) (Part 2-4)
- ISA/IEC 62443: Req SP.03.02 RE(2) (Part 2-4)
- ISA/IEC 62443: Req SR 1.13 (Part 3-3)
- ISA/IEC 62443: Req EDR 3.12 (Part 4-2)
- ISA/IEC 62443: Req HDR 3.12 (Part 4-2)
- ISA/IEC 62443: Req NDR 3.12 (Part 4-2)
- ISA/IEC 62443: Req EDR 3.13 (Part 4-2)
- ISA/IEC 62443: Req HDR 3.13 (Part 4-2)
- ISA/IEC 62443: Req NDR 3.13 (Part 4-2)
- ISA/IEC 62443: Req CR-7.8 (Part 4-2)
- ISA/IEC 62443: Req SM-6 (Part 4-1)
- ISA/IEC 62443: Req SM-9 (Part 4-1)
- ISA/IEC 62443: Req SM-10 (Part 4-1)
Frequently asked questions
Common questions about CWE-1357.
- What is CWE-1357?
- The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.
- What CVEs are caused by CWE-1357?
- 4 recorded CVEs are attributed to CWE-1357, including CVE-2024-26024, CVE-2024-28042, CVE-2024-3313.
- How do you prevent CWE-1357?
- For each component, ensure that its supply chain is well-controlled with sub-tier suppliers using best practices. For third-party software components such as libraries, ensure that they are developed and actively maintained by reputable vendors.
- How is CWE-1357 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1357?
- Exploiting CWE-1357 can lead to: Reduce Maintainability.
- Is CWE-1357 actively exploited?
- 4 recorded CVEs are caused by CWE-1357; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1357) (opens in a new tab)
- CWE-1357 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1357
Get alerted the moment a new CWE-1357 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.