CWE-494
Download of Code Without Integrity Check
BaseDraftLikelihood: Medium
Description
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-184 · CAPEC-185 · CAPEC-186 · CAPEC-187 · CAPEC-533 · CAPEC-538 · CAPEC-657 · CAPEC-662 · CAPEC-691 · CAPEC-692 · CAPEC-693 · CAPEC-695
CVEs mapped to this weakness (34)
page 1 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34841 | Cri | 0.64 | 9.8 | 0.00 | Apr 6, 2026 | Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1 | |
| CVE-2025-28236 | Cri | 0.64 | 9.8 | 0.01 | Apr 18, 2025 | Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This vulnerability allows attackers to execute arbitrary code via supplying a crafted update package to the /#/software/upgrades endpoint. | |
| CVE-2023-41921 | Cri | 0.64 | 9.8 | 0.00 | Jul 2, 2024 | A vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and integrity of the code. This vulnerability can allow attackers to modify the firmware before uploading it to the system, thus achieving the modification of the target’s integrity to achieve an insecure state. | |
| CVE-2002-0671 | Cri | 0.64 | 9.8 | 0.01 | Jul 23, 2002 | Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 downloads phone applications from a web site but can not verify the integrity of the applications, which could allow remote attackers to install Trojan horse applications via DNS spoofing. | |
| CVE-2001-1125 | Cri | 0.64 | 9.8 | 0.03 | Oct 5, 2001 | Symantec LiveUpdate before 1.6 does not use cryptography to ensure the integrity of download files, which allows remote attackers to execute arbitrary code via DNS spoofing of the update.symantec.com site. | |
| CVE-2026-3502 | Hig | 0.63 | 7.8 | 0.03 | KEV | Mar 30, 2026 | TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user. |
| CVE-2024-28878 | Cri | 0.62 | 9.6 | 0.00 | Apr 12, 2024 | IO-1020 Micro ELD downloads source code or an executable from an adjacent location and executes the code without sufficiently verifying the origin or integrity of the code. | |
| CVE-2025-53696 | Cri | 0.60 | — | 0.00 | Jul 28, 2025 | iSTAR Ultra performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These firmware parts may contain malicious code. Tested up to firmware 6.9.2, later firmwares are also possibly affected. | |
| CVE-2025-27593 | Cri | 0.60 | 9.3 | 0.00 | Mar 14, 2025 | The product can be used to distribute malicious code using SDD Device Drivers due to missing download verification checks, leading to code execution on target systems. | |
| CVE-2024-48974 | Cri | 0.60 | 9.3 | 0.00 | Nov 14, 2024 | The ventilator does not perform proper file integrity checks when adopting firmware updates. This makes it possible for an attacker to force unauthorized changes to the device's configuration settings and/or compromise device functionality by pushing a compromised/illegitimate firmware file. This could disrupt the function of the device and/or cause unauthorized information disclosure. | |
| CVE-2026-40066 | Hig | 0.57 | 8.8 | 0.00 | Apr 17, 2026 | Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution. | |
| CVE-2025-53520 | Hig | 0.57 | 8.8 | 0.00 | Aug 8, 2025 | The affected product allows firmware updates to be downloaded from EG4's website, transferred via USB dongles, or installed through EG4's Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection. | |
| CVE-2025-7620 | Hig | 0.57 | 8.8 | 0.00 | Jul 14, 2025 | The cross-browser document creation component produced by Digitware System Integration Corporation has a Remote Code Execution vulnerability. If a user visits a malicious website while the component is active, remote attackers can cause the system to download and execute arbitrary programs. | |
| CVE-2024-30206 | Hig | 0.57 | 8.8 | 0.01 | May 14, 2024 | A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Clients do not properly check the integrity of update files. This could allow an unauthenticated remote attacker to alter update files in transit and trick an authorized user into installing malicious code. A successful exploit requires the attacker to be able to modify the communication between server and client on the network. | |
| CVE-2024-54126 | Hig | 0.55 | — | 0.00 | Dec 5, 2024 | This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at its web interface. An attacker with administrative privileges within the router’s Wi-Fi range could exploit this vulnerability by uploading and executing malicious firmware which could lead to complete compromise of the targeted device. | |
| CVE-2025-1058 | Hig | 0.53 | 8.1 | 0.00 | Feb 13, 2025 | CWE-494: Download of Code Without Integrity Check vulnerability exists that could render the device inoperable when malicious firmware is downloaded. | |
| CVE-2008-3324 | Hig | 0.53 | 8.1 | 0.00 | Aug 18, 2008 | The PartyGaming PartyPoker client program 121/120 does not properly verify the authenticity of updates, which allows remote man-in-the-middle attackers to execute arbitrary code via a Trojan horse update. | |
| CVE-2008-3438 | Hig | 0.53 | 8.1 | 0.00 | Aug 1, 2008 | Apple Mac OS X does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning. | |
| CVE-2025-52263 | Hig | 0.52 | 8.0 | 0.00 | Oct 27, 2025 | An issue in the Web Configuration module of Startcharge Artemis AC Charger 7-22 kW v1.0.4 allows authenticated network-adjacent attackers to upload crafted firmware, leading to arbitrary code execution. | |
| CVE-2026-42249 | Hig | 0.50 | — | 0.00 | Apr 29, 2026 | Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable. |