Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-WF48-98RG-498V

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-30T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.",
  "id": "GHSA-wf48-98rg-498v",
  "modified": "2022-05-24T19:16:13Z",
  "published": "2022-05-24T19:16:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41292"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFM2-RQ5G-F8V5

Vulnerability from github – Published: 2025-04-29 15:11 – Updated: 2025-04-29 15:11
VLAI
Summary
@account-kit/smart-contracts Allowlist Module Bypass Vulnerability
Details

Summary

Allowlist module contains a bypass vulnerability

Details

The logic for using an allowlist on a Modular Account V2 contained a bug that allowed session keys to bypass any allowlist configuration

Action

If you are using @aa-sdk and/or @account-kit/smart-contracts between the versions of >=4.8.0 and <4.28.1, please upgrade to 4.28.2

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@account-kit/smart-contracts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.8.0"
            },
            {
              "fixed": "4.28.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-29T15:11:41Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAllowlist module contains a bypass vulnerability\n\n### Details\nThe logic for using an allowlist on a Modular Account V2 contained a bug that allowed session keys to bypass any allowlist configuration\n\n### Action\nIf you are using @aa-sdk and/or @account-kit/smart-contracts between the versions of \u003e=4.8.0 and \u003c4.28.1, please upgrade to 4.28.2",
  "id": "GHSA-wfm2-rq5g-f8v5",
  "modified": "2025-04-29T15:11:41Z",
  "published": "2025-04-29T15:11:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/alchemyplatform/aa-sdk/security/advisories/GHSA-wfm2-rq5g-f8v5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alchemyplatform/aa-sdk/commit/b65bafdb9eec3a009df2cbabf09a35a76550e9d0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alchemyplatform/aa-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@account-kit/smart-contracts Allowlist Module Bypass Vulnerability"
}

GHSA-WG33-5H85-7Q5P

Vulnerability from github – Published: 2025-02-06 17:07 – Updated: 2025-02-06 19:54
VLAI
Summary
Mitmweb API Authentication Bypass Using Proxy Server
Details

Impact

In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to *:8080 by default) to access mitmweb's internal API (bound to 127.0.0.1:8081 by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this SSRF-style access to remote code execution.

The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The block_global option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.

Patches

The vulnerability has been fixed in mitmproxy 11.1.2 and above.

Acknowledgements

We thank Stefan Grönke (@gronke) for reporting this vulnerability as part of a security audit by Radically Open Security. This audit was supported by the NGI0 Entrust fund established by NLnet.

Timeline

  • 2025-01-14: Received initial report.
  • 2025-01-14: Verified report and confirmed receipt.
  • 2025-01-19: Shared patch with researcher.
  • 2025-02-04: Received final confirmation that patch is working.
  • 2025-02-05: Published patched release and advisory.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mitmproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-23217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-441"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-06T17:07:41Z",
    "nvd_published_at": "2025-02-06T18:15:32Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn mitmweb 11.1.0 and below, a malicious client can use mitmweb\u0027s proxy server (bound to `*:8080` by default) to access mitmweb\u0027s internal API (bound to `127.0.0.1:8081` by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style access to remote code execution.\n\nThe mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The `block_global` option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.\n\n### Patches\n\nThe vulnerability has been fixed in mitmproxy 11.1.2 and above.\n\n### Acknowledgements\n\nWe thank Stefan Gr\u00f6nke (@gronke) for reporting this vulnerability as part of a security audit by [Radically Open Security](https://www.radicallyopensecurity.com/). This audit was supported by the [NGI0 Entrust fund](https://nlnet.nl/entrust/) established by [NLnet](https://nlnet.nl/).\n\n### Timeline\n\n- **2025-01-14**: Received initial report. \n- **2025-01-14**: Verified report and confirmed receipt.\n- **2025-01-19**: Shared patch with researcher.\n- **2025-02-04**: Received final confirmation that patch is working.\n- **2025-02-05**: Published patched release and advisory.",
  "id": "GHSA-wg33-5h85-7q5p",
  "modified": "2025-02-06T19:54:56Z",
  "published": "2025-02-06T17:07:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-wg33-5h85-7q5p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/commit/fa89055e196d953f11fd241e36ee37858993486a"
    },
    {
      "type": "WEB",
      "url": "https://en.wikipedia.org/wiki/Server-side_request_forgery"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mitmproxy/mitmproxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md#06-february-2025-mitmproxy-1112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Mitmweb API Authentication Bypass Using Proxy Server"
}

GHSA-WJ4W-HRRV-32X7

Vulnerability from github – Published: 2026-05-02 06:30 – Updated: 2026-05-02 06:30
VLAI
Details

The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-02T05:16:01Z",
    "severity": "CRITICAL"
  },
  "details": "The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the \"user_verification_form_wrap_process_otpLogin\" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a \"true\" OTP value.",
  "id": "GHSA-wj4w-hrrv-32x7",
  "modified": "2026-05-02T06:30:24Z",
  "published": "2026-05-02T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7458"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/user-verification/trunk/includes/functions-rest.php%23L234?rev=3461175"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php%23L164?rev=3461175"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/index.php%23L71?rev=3461175"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3519113/user-verification"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35b86488-8f68-4738-a9a8-76d0b7976165?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMVG-5R8J-H4HF

Vulnerability from github – Published: 2025-04-01 06:30 – Updated: 2026-04-01 18:34
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T06:15:48Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4.",
  "id": "GHSA-wmvg-5r8j-h4hf",
  "modified": "2026-04-01T18:34:17Z",
  "published": "2025-04-01T06:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22277"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-1-4-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP3Q-P67P-P473

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:11Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Broken Authentication in Booknetic \u003c= 4.8.5 versions.",
  "id": "GHSA-wp3q-p67p-p473",
  "modified": "2026-06-17T18:35:48Z",
  "published": "2026-06-17T18:35:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25439"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/booknetic/vulnerability/wordpress-booknetic-plugin-4-8-5-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPFJ-WC8P-WV72

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DVA-2800 and DSL-2888A firmware version 2.3 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-10912.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-12T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DVA-2800 and DSL-2888A firmware version 2.3 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-10912.",
  "id": "GHSA-wpfj-wc8p-wv72",
  "modified": "2022-05-24T17:42:02Z",
  "published": "2022-05-24T17:42:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27863"
    },
    {
      "type": "WEB",
      "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10196"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1427"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WR24-46RX-JR44

Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-04-04 03:36
VLAI
Details

In multiple functions of AccountManagerService.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-260567867

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T20:15:11Z",
    "severity": "HIGH"
  },
  "details": "In multiple functions of AccountManagerService.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-260567867",
  "id": "GHSA-wr24-46rx-jr44",
  "modified": "2024-04-04T03:36:11Z",
  "published": "2023-04-19T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21098"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVHJ-3792-HF6C

Vulnerability from github – Published: 2024-11-09 03:30 – Updated: 2026-04-08 18:33
VLAI
Details

The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T03:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the \u0027ce21_authentication_phrase\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.",
  "id": "GHSA-wvhj-3792-hf6c",
  "modified": "2026-04-08T18:33:39Z",
  "published": "2024-11-09T03:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10284"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L242"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3205463/ce21-suite#file3"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45d66743-300e-480d-98b8-99dc30b6e786?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVPV-FFCV-R6CW

Vulnerability from github – Published: 2020-04-14 23:09 – Updated: 2021-01-08 20:22
VLAI
Summary
Internal NCryptDecrypt method could be used externally from WindowsHello library.
Details

Impact

Every user of the library before version 1.0.4.

Patches

Patched in 1.0.4+.

Workarounds

None.

References

https://github.com/SeppPenner/WindowsHello/issues/3

For more information

It this library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "HaemmerElectronics.SeppPenner.WindowsHello"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-14T22:26:38Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nEvery user of the library before version 1.0.4.\n\n### Patches\nPatched in 1.0.4+.\n\n### Workarounds\nNone.\n\n### References\nhttps://github.com/SeppPenner/WindowsHello/issues/3\n\n### For more information\nIt this library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library  without the need to use Windows Hello Authentication again.",
  "id": "GHSA-wvpv-ffcv-r6cw",
  "modified": "2021-01-08T20:22:38Z",
  "published": "2020-04-14T23:09:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11005"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SeppPenner/WindowsHello/issues/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Internal NCryptDecrypt method could be used externally from WindowsHello library."
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.