CWE-530: Exposure of Backup File to an Unauthorized Control Sphere
A backup file is stored in a directory or archive that is made accessible to unauthorized actors.
Last updated
Overview
Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.
Real-world CVEs
11 recorded CVEs are caused by CWE-530 (Exposure of Backup File to an Unauthorized Control Sphere). The highest-severity and most recent are shown first. 2 new CWE-530 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2024-56462
IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
High · CVSS 8.8 · EPSS 37th2026-05-27 - CVE-2020-36899
QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Disclosure
High · CVSS 8.7 · EPSS 54th2025-12-10 - CVE-2024-12330
WP Database Backup – Unlimited Database & Files Backup by Backup for WP <= 7.3 - Unauthenticated Database Back-Up Exposure
High · CVSS 7.5 · EPSS 39th2025-01-09 - CVE-2023-5297High · CVSS 7.5 · EPSS 48th2023-09-29
- CVE-2024-2364Medium · CVSS 4.6 · EPSS 25th2024-03-10
- CVE-2026-13514
Chess Play and Learn App com.chess AndroidManifest.xml backup
Low · CVSS 2.4 · EPSS 3th2026-06-28 - CVE-2024-3430
QKSMS Backup File androidmanifest.xml backup
Low · CVSS 2.4 · EPSS 13th2024-04-07 - CVE-2024-3128
Replify-Messenger Backup File androidmanifest.xml backup
Low · CVSS 2.4 · EPSS 18th2024-04-01 - CVE-2024-3124Low · CVSS 2.4 · EPSS 20th2024-04-01
- CVE-2024-2567Low · CVSS 1.8 · EPSS 12th2024-03-17
- CVE-2025-3773CVSS 0.0 · EPSS 3th2025-06-26
Common consequences
What can happen when CWE-530 is exploited.
Read Application Data
Affects: Confidentiality
At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-530, grouped by where in the lifecycle they apply.
Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2024-7315 — Chain: WordPress plugin does not use sufficient randomness when generating the filename for a backup (CWE-340), allowing attackers to obtain backup files (CWE-530)
Frequently asked questions
Common questions about CWE-530.
- What is CWE-530?
- A backup file is stored in a directory or archive that is made accessible to unauthorized actors.
- What CVEs are caused by CWE-530?
- 11 recorded CVEs are attributed to CWE-530, including CVE-2024-56462, CVE-2020-36899, CVE-2024-12330.
- How do you prevent CWE-530?
- Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.
- How is CWE-530 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-530?
- Exploiting CWE-530 can lead to: Read Application Data.
- Is CWE-530 actively exploited?
- 11 recorded CVEs are caused by CWE-530; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-530) (opens in a new tab)
- CWE-530 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-530
Get alerted the moment a new CWE-530 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.