CWE-1244
AllowedInternal Asset Exposed to Unsafe Debug Access Level or State
Abstraction: Base · Status: Stable
The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.
22 vulnerabilities reference this CWE, most recent first.
CVE-2020-5372 (GCVE-0-2020-5372)
Vulnerability from cvelistv5 – Published: 2020-07-06 17:45 – Updated: 2024-09-16 16:33- CWE-1244 - Improper Authorization on Physical Debug and Test Interfaces
| URL | Tags |
|---|---|
| https://www.dell.com/support/security/en-us/detai… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerStore |
Affected:
unspecified , < 1.0.1.0.5.002
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:23.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dell.com/support/security/en-us/details/544738/DSA-2020-159-Dell-EMC-PowerStore-Family-Improper-Authorization-Vulnerability"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PowerStore",
"vendor": "Dell",
"versions": [
{
"lessThan": "1.0.1.0.5.002",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerability that exposes test interface ports to external network. A remote unauthenticated attacker could potentially cause Denial of Service via test interface ports which are not used during run time environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1244",
"description": "CWE-1244: Improper Authorization on Physical Debug and Test Interfaces",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-06T17:45:19.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dell.com/support/security/en-us/details/544738/DSA-2020-159-Dell-EMC-PowerStore-Family-Improper-Authorization-Vulnerability"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2020-06-25",
"ID": "CVE-2020-5372",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PowerStore",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.0.1.0.5.002"
}
]
}
}
]
},
"vendor_name": "Dell"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerability that exposes test interface ports to external network. A remote unauthenticated attacker could potentially cause Denial of Service via test interface ports which are not used during run time environment."
}
]
},
"impact": {
"cvss": {
"baseScore": 8.6,
"baseSeverity": "High",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1244: Improper Authorization on Physical Debug and Test Interfaces"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dell.com/support/security/en-us/details/544738/DSA-2020-159-Dell-EMC-PowerStore-Family-Improper-Authorization-Vulnerability",
"refsource": "MISC",
"url": "https://www.dell.com/support/security/en-us/details/544738/DSA-2020-159-Dell-EMC-PowerStore-Family-Improper-Authorization-Vulnerability"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2020-5372",
"datePublished": "2020-07-06T17:45:19.201Z",
"dateReserved": "2020-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:33:52.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-549V-R8J8-4RMH
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability and low impact on integrity and of the application.
{
"affected": [],
"aliases": [
"CVE-2025-42878"
],
"database_specific": {
"cwe_ids": [
"CWE-1244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T16:17:52Z",
"severity": "HIGH"
},
"details": "SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability and low impact on integrity and of the application.",
"id": "GHSA-549v-r8j8-4rmh",
"modified": "2025-12-09T18:30:37Z",
"published": "2025-12-09T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42878"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3684682"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5877-738Q-8JM4
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-09-05 18:31NVIDIA HGX and DGX contain a vulnerability where a misconfiguration of the VBIOS could enable an attacker to set an unsafe debug access level. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2025-23301"
],
"database_specific": {
"cwe_ids": [
"CWE-1244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:34Z",
"severity": "MODERATE"
},
"details": "NVIDIA HGX and DGX contain a vulnerability where a misconfiguration of the VBIOS could enable an attacker to set an unsafe debug access level. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-5877-738q-8jm4",
"modified": "2025-09-05T18:31:15Z",
"published": "2025-09-05T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23301"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5674"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23301"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5H24-3XCP-8X64
Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2022-05-17 00:19In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an information disclosure vulnerability in the default configuration of the QNX SDP could allow an attacker to gain information relating to memory layout that could be used in a blended attack by executing commands targeting procfs resources.
{
"affected": [],
"aliases": [
"CVE-2017-3892"
],
"database_specific": {
"cwe_ids": [
"CWE-1244",
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-14T21:29:00Z",
"severity": "HIGH"
},
"details": "In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an information disclosure vulnerability in the default configuration of the QNX SDP could allow an attacker to gain information relating to memory layout that could be used in a blended attack by executing commands targeting procfs resources.",
"id": "GHSA-5h24-3xcp-8x64",
"modified": "2022-05-17T00:19:41Z",
"published": "2022-05-17T00:19:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3892"
},
{
"type": "WEB",
"url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000046674"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9M35-V5WH-M3XW
Vulnerability from github – Published: 2026-04-20 21:31 – Updated: 2026-04-21 21:31A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as "writes preserve values, reads ignore values," i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields.
{
"affected": [],
"aliases": [
"CVE-2026-29642"
],
"database_specific": {
"cwe_ids": [
"CWE-1244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T21:16:19Z",
"severity": "HIGH"
},
"details": "A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as \"writes preserve values, reads ignore values,\" i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields.",
"id": "GHSA-9m35-v5wh-m3xw",
"modified": "2026-04-21T21:31:21Z",
"published": "2026-04-20T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29642"
},
{
"type": "WEB",
"url": "https://github.com/OpenXiangShan/XiangShan/issues/3934"
},
{
"type": "WEB",
"url": "https://github.com/OpenXiangShan/XiangShan/commit/5e3dd63"
},
{
"type": "WEB",
"url": "https://docs.riscv.org/reference/isa/priv/machine.html"
},
{
"type": "WEB",
"url": "https://docs.riscv.org/reference/isa/priv/priv-csrs.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C3PH-MF94-PP8R
Vulnerability from github – Published: 2025-08-14 18:31 – Updated: 2025-08-14 18:31A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials.
This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input for specific commands. A successful exploit could allow the attacker to execute commands on the underlying operating system as root.
{
"affected": [],
"aliases": [
"CVE-2025-20238"
],
"database_specific": {
"cwe_ids": [
"CWE-1244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T17:15:37Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials.\n\n This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input for specific commands. A successful exploit could allow the attacker to execute commands on the underlying operating system as root.",
"id": "GHSA-c3ph-mf94-pp8r",
"modified": "2025-08-14T18:31:29Z",
"published": "2025-08-14T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20238"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmdinj-VEhFeZQ3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FPJC-QV6C-7C5Q
Vulnerability from github – Published: 2025-09-18 04:12 – Updated: 2025-09-18 04:12NVIDIA HGX & DGX GB200, GB300, B300 contain a vulnerability in the HGX Management Controller (HMC) that may allow a malicious actor with administrative access on the BMC to access the HMC as an administrator. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
{
"affected": [],
"aliases": [
"CVE-2025-23337"
],
"database_specific": {
"cwe_ids": [
"CWE-1244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T23:15:36Z",
"severity": "MODERATE"
},
"details": "NVIDIA HGX \u0026 DGX GB200, GB300, B300 contain a vulnerability in the HGX Management Controller (HMC) that may allow a malicious actor with administrative access on the BMC to access the HMC as an administrator. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.",
"id": "GHSA-fpjc-qv6c-7c5q",
"modified": "2025-09-18T04:12:19Z",
"published": "2025-09-18T04:12:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23337"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GC52-J4FW-H449
Vulnerability from github – Published: 2025-06-18 03:30 – Updated: 2025-06-18 03:30The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to gain access to restricted components. A successful exploit of this vulnerability may lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-23252"
],
"database_specific": {
"cwe_ids": [
"CWE-1244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T01:15:28Z",
"severity": "MODERATE"
},
"details": "The NVIDIA NVDebug tool contains a vulnerability that may allow an actor to gain access to restricted components. A successful exploit of this vulnerability may lead to information disclosure.",
"id": "GHSA-gc52-j4fw-h449",
"modified": "2025-06-18T03:30:55Z",
"published": "2025-06-18T03:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23252"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5651"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H6FM-GGMR-98GX
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-07-14 15:31An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0 all versions may allow an authenticated admin to execute lua scripts via crafted CLI commands.
{
"affected": [],
"aliases": [
"CVE-2025-67862"
],
"database_specific": {
"cwe_ids": [
"CWE-1244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T16:16:35Z",
"severity": "MODERATE"
},
"details": "An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0 all versions may allow an authenticated admin to execute lua scripts via crafted CLI commands.",
"id": "GHSA-h6fm-ggmr-98gx",
"modified": "2026-07-14T15:31:59Z",
"published": "2026-06-09T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67862"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-864900.html"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-143"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H7CV-65J5-5G78
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2024-07-09 12:30A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The system images for installation or update of the affected application contain unit test scripts with sensitive information. An attacker could gain information about testing architecture and also tamper with test configuration.
{
"affected": [],
"aliases": [
"CVE-2022-32259"
],
"database_specific": {
"cwe_ids": [
"CWE-1244",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-14T10:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.1). The system images for installation or update of the affected application contain unit test scripts with sensitive information. An attacker could gain information about testing architecture and also tamper with test configuration.",
"id": "GHSA-h7cv-65j5-5g78",
"modified": "2024-07-09T12:30:55Z",
"published": "2022-06-15T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32259"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-484086.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For security-sensitive assets accessible over debug/test interfaces, only allow trusted agents.
Mitigation
Apply blinding [REF-1219] or masking techniques in strategic areas.
Mitigation
Add shielding or tamper-resistant protections to the device, which increases the difficulty and cost for accessing debug/test interfaces.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.