CWE-1191
AllowedOn-Chip Debug and Test Interface With Improper Access Control
Abstraction: Base · Status: Stable
The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.
35 vulnerabilities reference this CWE, most recent first.
GHSA-7C88-698J-QXF8
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-08-01 15:31This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by identifying UART pins and accessing the root shell on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-4231"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:43:08Z",
"severity": "MODERATE"
},
"details": "This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An\u00a0attacker\u00a0with\u00a0physical\u00a0access\u00a0could exploit this by identifying UART pins and accessing the root shell on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system.",
"id": "GHSA-7c88-698j-qxf8",
"modified": "2024-08-01T15:31:44Z",
"published": "2024-05-14T18:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4231"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8X28-6C83-R9JR
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31Successful exploitation of the vulnerability could allow an attacker that has physical access to interface with JTAG to inject or modify firmware.
{
"affected": [],
"aliases": [
"CVE-2025-48468"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T03:15:34Z",
"severity": "MODERATE"
},
"details": "Successful exploitation of the vulnerability could allow an attacker that has physical access to interface with JTAG to inject or modify firmware.",
"id": "GHSA-8x28-6c83-r9jr",
"modified": "2025-06-26T21:31:04Z",
"published": "2025-06-26T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48468"
},
{
"type": "WEB",
"url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-93M9-FHM3-CJVP
Vulnerability from github – Published: 2024-11-15 00:31 – Updated: 2024-11-15 00:31The ventilator's microcontroller lacks memory protection. An attacker could connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool, which could disrupt the function of the device and/or cause unauthorized information disclosure.
{
"affected": [],
"aliases": [
"CVE-2024-48970"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-14T22:15:18Z",
"severity": "CRITICAL"
},
"details": "The ventilator\u0027s microcontroller lacks memory protection. An attacker could connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool, which could disrupt the function of the device and/or cause unauthorized information disclosure.",
"id": "GHSA-93m9-fhm3-cjvp",
"modified": "2024-11-15T00:31:51Z",
"published": "2024-11-15T00:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48970"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9CMP-PPM3-HP8W
Vulnerability from github – Published: 2025-02-11 12:30 – Updated: 2025-11-04 00:32A serial interface can be accessed with physical access to the PCB of Wattsense Bridge devices. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device. This issue is fixed in recent firmware versions BSP >= 6.4.1.
{
"affected": [],
"aliases": [
"CVE-2025-26409"
],
"database_specific": {
"cwe_ids": [
"CWE-1191",
"CWE-1299"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T10:15:09Z",
"severity": "MODERATE"
},
"details": "A serial interface can be accessed with physical access to the PCB of Wattsense Bridge devices. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device. This issue is fixed in\u00a0recent firmware versions BSP \u003e= 6.4.1.",
"id": "GHSA-9cmp-ppm3-hp8w",
"modified": "2025-11-04T00:32:19Z",
"published": "2025-02-11T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26409"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/wattsense"
},
{
"type": "WEB",
"url": "https://support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Feb/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9HPM-6W4C-HXH2
Vulnerability from github – Published: 2024-03-14 18:30 – Updated: 2024-04-05 09:30On-chip debug and test interface with improper access control in some 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2023-32666"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-14T17:15:51Z",
"severity": "HIGH"
},
"details": "On-chip debug and test interface with improper access control in some 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.",
"id": "GHSA-9hpm-6w4c-hxh2",
"modified": "2024-04-05T09:30:38Z",
"published": "2024-03-14T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32666"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240405-0010"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00986.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FR6M-J2M3-HGW4
Vulnerability from github – Published: 2026-02-12 18:30 – Updated: 2026-02-12 18:30Debug code left active in AMD's Video Decoder Engine Firmware (VCN FW) could allow a attacker to submit a maliciously crafted command causing the VCN FW to perform read/writes HW registers, potentially impacting confidentiality, integrity and availabilability of the system.
{
"affected": [],
"aliases": [
"CVE-2024-36319"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T18:16:06Z",
"severity": "MODERATE"
},
"details": "Debug code left active in AMD\u0027s Video Decoder Engine Firmware (VCN FW) could allow a attacker to submit a maliciously crafted command causing the VCN FW to perform read/writes HW registers, potentially impacting confidentiality, integrity and availabilability of the system.",
"id": "GHSA-fr6m-j2m3-hgw4",
"modified": "2026-02-12T18:30:24Z",
"published": "2026-02-12T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36319"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GWX6-666H-F6WC
Vulnerability from github – Published: 2025-06-27 03:30 – Updated: 2025-10-24 18:30Flock Safety Gunshot Detection devices before 1.3 have an on-chip debug interface with improper access control.
{
"affected": [],
"aliases": [
"CVE-2025-47819"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-27T02:15:23Z",
"severity": "MODERATE"
},
"details": "Flock Safety Gunshot Detection devices before 1.3 have an on-chip debug interface with improper access control.",
"id": "GHSA-gwx6-666h-f6wc",
"modified": "2025-10-24T18:30:57Z",
"published": "2025-06-27T03:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47819"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/06/19/bird-hunting-season-security-research-on-flock-safety-anti-crime-systems"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/06/19/plucked-and-rooted-device-1-debug-shell-on-flock-safetys-raven-gunshot-detection-system"
},
{
"type": "WEB",
"url": "https://gainsec.com/wp-content/uploads/2025/06/flock-safety-researcher-summary.pdf"
},
{
"type": "WEB",
"url": "https://www.flocksafety.com/articles/gunshot-detection-and-license-plate-reader-security-alert"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRV9-F2QW-V2XG
Vulnerability from github – Published: 2022-11-18 00:30 – Updated: 2022-11-22 03:30Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port.
{
"affected": [],
"aliases": [
"CVE-2022-43096"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-17T23:15:00Z",
"severity": "MODERATE"
},
"details": "Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port.",
"id": "GHSA-hrv9-f2qw-v2xg",
"modified": "2022-11-22T03:30:59Z",
"published": "2022-11-18T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43096"
},
{
"type": "WEB",
"url": "https://documentation.media5corp.com/display/MP/DGW+Security+Improvement+Notes+v48.5.2718"
},
{
"type": "WEB",
"url": "https://github.com/ProxyStaffy/Mediatrix-CVE-2022-43096"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRWQ-G9X9-JMQ2
Vulnerability from github – Published: 2025-02-11 12:30 – Updated: 2025-11-04 00:32The JTAG interface of Wattsense Bridge devices can be accessed with physical access to the PCB. After connecting to the interface, full access to the device is possible. This enables an attacker to extract information, modify and debug the device's firmware. All known versions are affected.
{
"affected": [],
"aliases": [
"CVE-2025-26408"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T10:15:09Z",
"severity": "MODERATE"
},
"details": "The JTAG interface of Wattsense Bridge devices can be accessed with physical access to the PCB. After connecting to the interface, full access to the device is possible. This enables an attacker to extract information, modify and debug the device\u0027s firmware. All known versions are affected.",
"id": "GHSA-hrwq-g9x9-jmq2",
"modified": "2025-11-04T00:32:19Z",
"published": "2025-02-11T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26408"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/wattsense"
},
{
"type": "WEB",
"url": "https://support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Feb/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MH42-RQV8-HGGX
Vulnerability from github – Published: 2022-10-20 19:00 – Updated: 2025-05-08 18:30Some versions of Sonos One (1st and 2nd generation) allow partial or full memory access via attacker controlled hardware that can be attached to the Mini-PCI Express slot on the motherboard that hosts the WiFi card on the device.
{
"affected": [],
"aliases": [
"CVE-2020-9285"
],
"database_specific": {
"cwe_ids": [
"CWE-1191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-20T17:15:00Z",
"severity": "MODERATE"
},
"details": "Some versions of Sonos One (1st and 2nd generation) allow partial or full memory access via attacker controlled hardware that can be attached to the Mini-PCI Express slot on the motherboard that hosts the WiFi card on the device.",
"id": "GHSA-mh42-rqv8-hggx",
"modified": "2025-05-08T18:30:30Z",
"published": "2022-10-20T19:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9285"
},
{
"type": "WEB",
"url": "https://tnpitsecurity.com/blog/gaining-root-on-sonos-speakers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Separation of Privilege
If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.