CWE-494: Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Last updated
Overview
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
Real-world CVEs
140 recorded CVEs are caused by CWE-494 (Download of Code Without Integrity Check), including 4 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 24 new CWE-494 CVEs have been recorded so far in 2026 (33 in 2025).
- CVE-2026-3502CISA KEV
TrueConf Client Update Integrity Verification Bypass
High · CVSS 8.8 · EPSS 92th2026-03-30 - CVE-2022-40799CISA KEVHigh · CVSS 8.7 · EPSS 98th2022-11-29
- CVE-2025-15556CISA KEV
Notepad++ < 8.8.9 WinGUp Updater Lacks Update Integrity Verification
High · CVSS 7.7 · EPSS 66th2026-02-03 - CVE-2021-44168CISA KEVMedium · CVSS 4.8 · EPSS 55th2022-01-04
- CVE-2025-40604Critical · CVSS 9.8 · EPSS 7th2025-11-20
- CVE-2025-56513Critical · CVSS 9.8 · EPSS 34th2025-09-30
- CVE-2025-31355Critical · CVSS 9.8 · EPSS 20th2025-08-20
- CVE-2025-28236Critical · CVSS 9.8 · EPSS 28th2025-04-18
- CVE-2024-45321Critical · CVSS 9.8 · EPSS 50th2024-08-27
- CVE-2023-41921Critical · CVSS 9.8 · EPSS 17th2024-07-02
- CVE-2024-27438
Apache Doris: Downloading arbitrary remote jar files resulting in remote command execution
Critical · CVSS 9.8 · EPSS 58th2024-03-21 - CVE-2023-45799
MLSoft TCO!stream Remote Code Execution Vulnerability
Critical · CVSS 9.8 · EPSS 19th2023-10-30
Showing 12 of 140 recorded CWE-494 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-494 vulnerabilitiesCommon consequences
What can happen when CWE-494 is exploited.
Execute Unauthorized Code or Commands, Alter Execution Logic, Other
Affects: Integrity, Availability, Confidentiality, Other
Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-494, grouped by where in the lifecycle they apply.
Perform proper forward and reverse DNS lookups to detect DNS spoofing.
Encrypt the code with a reliable encryption scheme before transmitting.
This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code.
- When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for the code and modify the download clients to verify the signatures. Ensure that the implementation does not contain CWE-295, CWE-320, CWE-347, and related weaknesses.
- Use code signing technologies such as Authenticode. See references [REF-454] [REF-455] [REF-456].
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
Effectiveness: Limited — The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.
How to detect it
Manual Analysis
This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.
Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.
Black Box
Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.
Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This example loads an external class from a local subdirectory.
Vulnerable example
URL[] classURLs= new URL[]{This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code.
This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
Vulnerable example
//assume the password is already encrypted, avoiding CWE-312Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2019-9534 — Satellite phone does not validate its firmware image.
- CVE-2021-22909 — Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).
- CVE-2008-3438 — OS does not verify authenticity of its own updates.
- CVE-2008-3324 — online poker client does not verify authenticity of its own updates.
- CVE-2001-1125 — anti-virus product does not verify automatic updates for itself.
- CVE-2002-0671 — VOIP phone downloads applications from web sites without verifying integrity.
Terminology & mappings
Mapped taxonomies
- CLASP: Invoking untrusted mobile code
- The CERT Oracle Secure Coding Standard for Java (2011): Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar (SEC06-J)
- Software Fault Patterns: Tainted input to environment (SFP27)
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-184: Software Integrity Attack
- CAPEC-185: Malicious Software Download
- CAPEC-186: Malicious Software Update
- CAPEC-187: Malicious Automated Software Update via Redirection
- CAPEC-533: Malicious Manual Software Update
- CAPEC-538: Open-Source Library Manipulation
- CAPEC-657: Malicious Automated Software Update via Spoofing
- CAPEC-662: Adversary in the Browser (AiTB)
- CAPEC-691: Spoof Open-Source Software Metadata
- CAPEC-692: Spoof Version Control System Commit Metadata
- CAPEC-693: StarJacking
- CAPEC-695: Repo Jacking
Frequently asked questions
Common questions about CWE-494.
- What is CWE-494?
- The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
- What CVEs are caused by CWE-494?
- 140 recorded CVEs are attributed to CWE-494, including CVE-2026-3502, CVE-2022-40799, CVE-2025-15556. 4 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-494?
- Perform proper forward and reverse DNS lookups to detect DNS spoofing.
- How is CWE-494 detected?
- Manual Analysis: This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.
- What are the consequences of CWE-494?
- Exploiting CWE-494 can lead to: Execute Unauthorized Code or Commands, Alter Execution Logic, Other.
- Is CWE-494 actively exploited?
- Yes. 4 CWE-494 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 140 recorded CVEs.
References
- MITRE CWE definition (CWE-494) (opens in a new tab)
- CWE-494 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-494
Get alerted the moment a new CWE-494 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.