Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-MX8V-PHVM-3VVW

Vulnerability from github – Published: 2023-05-10 21:30 – Updated: 2024-04-04 04:01
VLAI
Details

An Authentication Bypass Using an Alternate Path or Channel vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface allows Authentication Bypass. See SEL Service Bulletin dated 2022-11-15 for more details.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "An Authentication Bypass Using an Alternate Path or Channel vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface allows Authentication Bypass. \nSee SEL Service Bulletin dated 2022-11-15 for more details.\n\n\n\n",
  "id": "GHSA-mx8v-phvm-3vvw",
  "modified": "2024-04-04T04:01:36Z",
  "published": "2023-05-10T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31152"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/support/security-notifications/external-reports"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/blog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P24G-CJ72-GPFV

Vulnerability from github – Published: 2025-05-14 18:30 – Updated: 2025-05-15 15:31
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-14T17:15:49Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.",
  "id": "GHSA-p24g-cj72-gpfv",
  "modified": "2025-05-15T15:31:24Z",
  "published": "2025-05-14T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47707"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-053"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P25V-3Q9M-P32X

Vulnerability from github – Published: 2024-10-22 06:31 – Updated: 2024-10-22 06:31
VLAI
Details

The Rover IDX plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.0.2905. This is due to insufficient validation and capability check on the 'rover_idx_refresh_social_callback' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in to administrator. The vulnerability is partially patched in version 3.0.0.2905 and fully patched in version 3.0.0.2906.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-22T05:15:03Z",
    "severity": "HIGH"
  },
  "details": "The Rover IDX plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.0.2905. This is due to insufficient validation and capability check on the \u0027rover_idx_refresh_social_callback\u0027 function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in to administrator. The vulnerability is partially patched in version 3.0.0.2905 and fully patched in version 3.0.0.2906.",
  "id": "GHSA-p25v-3q9m-p32x",
  "modified": "2024-10-22T06:31:13Z",
  "published": "2024-10-22T06:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10002"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/rover-idx/tags/3.0.0.2903/admin/rover-panel-social.php#L153"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/rover-idx/tags/3.0.0.2903/rover-social-common.php#L148"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3173032/rover-idx/trunk/rover-social-common.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cf6a9fb-3c3b-48ad-a39b-77a529b89901?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P374-753H-F3X5

Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2025-08-22 18:31
VLAI
Details

An issue in the lock screen component of Reolink v4.54.0.4.20250526 allows attackers to bypass authentication via using an ADB (Android Debug Bridge).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T17:15:33Z",
    "severity": "MODERATE"
  },
  "details": "An issue in the lock screen component of Reolink v4.54.0.4.20250526 allows attackers to bypass authentication via using an ADB (Android Debug Bridge).",
  "id": "GHSA-p374-753h-f3x5",
  "modified": "2025-08-22T18:31:24Z",
  "published": "2025-08-22T18:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55623"
    },
    {
      "type": "WEB",
      "url": "https://relieved-knuckle-264.notion.site/Reolink-App-lock-screen-Bypass-21a437003642804f869fde8535d18a3f?source=copy_link"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4FG-VW73-VR29

Vulnerability from github – Published: 2026-02-24 15:30 – Updated: 2026-02-25 18:31
VLAI
Details

Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-24T14:16:26Z",
    "severity": "CRITICAL"
  },
  "details": "Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox \u003c 148 and Firefox ESR \u003c 140.8.",
  "id": "GHSA-p4fg-vw73-vr29",
  "modified": "2026-02-25T18:31:35Z",
  "published": "2026-02-24T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2784"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2012984"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-13"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-15"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-16"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4G5-CHR9-3GF5

Vulnerability from github – Published: 2024-05-23 00:30 – Updated: 2024-05-23 00:30
VLAI
Details

Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T23:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.",
  "id": "GHSA-p4g5-chr9-3gf5",
  "modified": "2024-05-23T00:30:37Z",
  "published": "2024-05-23T00:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29849"
    },
    {
      "type": "WEB",
      "url": "https://veeam.com/kb4581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4JJ-WJCF-VHHR

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2025-06-05 00:31
VLAI
Details

In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-26T17:15:00Z",
    "severity": "LOW"
  },
  "details": "In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information.",
  "id": "GHSA-p4jj-wjcf-vhhr",
  "modified": "2025-06-05T00:31:18Z",
  "published": "2022-05-24T17:21:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14477"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsma-20-177-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4W8-H9FH-V4QP

Vulnerability from github – Published: 2024-08-08 03:30 – Updated: 2024-08-08 03:30
VLAI
Details

The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-08T03:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "The Appointment Booking Calendar Plugin and Online Scheduling Plugin \u2013 BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user\u0027s identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user\u0027s email.  This is only exploitable when the \u0027Auto login user after successful booking\u0027 setting is enabled.",
  "id": "GHSA-p4w8-h9fh-v4qp",
  "modified": "2024-08-08T03:30:49Z",
  "published": "2024-08-08T03:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7350"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php#L339"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3130266/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c367565-75f7-4dd7-a2f1-111df581bd7a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5MJ-RXF6-HC9H

Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-09 18:31
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T06:16:28Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through \u003c= 1.0.1.",
  "id": "GHSA-p5mj-rxf6-hc9h",
  "modified": "2026-03-09T18:31:38Z",
  "published": "2026-03-05T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27389"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-1-account-takeover-vulnerability-2?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P69W-MMFV-XRFJ

Vulnerability from github – Published: 2026-05-26 23:40 – Updated: 2026-05-26 23:40
VLAI
Summary
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
Details

Pre-auth RCE in FUXA via Logic Bypass

Summary

A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode Enabled and Node-RED Secure Auth Enabled).

Details The vulnerability is a Path Confusion flaw in the authentication middleware. The server uses a substring match on the full URL (including query parameters) to exclude certain paths from authentication.

Involved Logic:

JavaScript:

const url = req.originalUrl || req.url || req.path;
if (url.includes('/socket.io')) return next();
By appending ?x=/socket.io to any administrative request, the middleware is "tricked" into treating the request as a public WebSocket handshake, bypassing the secureEnabled and nodeRedAuthMode checks entirely.

Proof of Concept

A specially crafted request containing manipulated query parameters could bypass authentication checks on protected /nodered/* endpoints.

In configurations where Node-RED exposed privileged or command-execution capable nodes, this could lead to remote code execution within the container context.

Impact Access Level: Unauthenticated / Remote.

Privilege Level: Access to Node-RED administrative endpoints. Remote code execution may be possible depending on the Node-RED configuration and installed nodes.

CVSS 3.1 Score: High severity.

Description: An attacker can gain total control over the SCADA server, allowing them to intercept industrial data (MQTT/OPC-UA), manipulate PLC tags, or pivot into the internal OT network.

Root Cause & Remediation The root cause is the reliance on req.originalUrl for security-critical routing decisions.

The Fix: The developer must use req.path (which Express pre-parses to remove query strings) or a formal URL parser to ensure that the security check is performed only against the pathname.

JavaScript

// Secure approach
const pathname = req.path; 
if (pathname.startsWith('/socket.io/')) return next();

This issue affects only setups where Node-RED is enabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@frangoteam/fuxa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.11"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-288",
      "CWE-863",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T23:40:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "**Pre-auth** RCE in FUXA via Logic Bypass\n\nSummary\n\nA Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode Enabled and Node-RED Secure Auth Enabled).\n\nDetails\nThe vulnerability is a Path Confusion flaw in the authentication middleware. The server uses a substring match on the full URL (including query parameters) to exclude certain paths from authentication.\n\nInvolved Logic:\n\nJavaScript:\n```\nconst url = req.originalUrl || req.url || req.path;\nif (url.includes(\u0027/socket.io\u0027)) return next();\nBy appending ?x=/socket.io to any administrative request, the middleware is \"tricked\" into treating the request as a public WebSocket handshake, bypassing the secureEnabled and nodeRedAuthMode checks entirely.\n```\n\nProof of Concept\n\nA specially crafted request containing manipulated query parameters could bypass authentication checks on protected /nodered/* endpoints.\n\nIn configurations where Node-RED exposed privileged or command-execution capable nodes, this could lead to remote code execution within the container context.\n\nImpact\nAccess Level: Unauthenticated / Remote.\n\nPrivilege Level: Access to Node-RED administrative endpoints. \nRemote code execution may be possible depending on the Node-RED configuration and installed nodes.\n\nCVSS 3.1 Score: High severity.\n\nDescription: An attacker can gain total control over the SCADA server, allowing them to intercept industrial data (MQTT/OPC-UA), manipulate PLC tags, or pivot into the internal OT network.\n\nRoot Cause \u0026 Remediation\nThe root cause is the reliance on req.originalUrl for security-critical routing decisions.\n\nThe Fix:\nThe developer must use req.path (which Express pre-parses to remove query strings) or a formal URL parser to ensure that the security check is performed only against the pathname.\n\n```\nJavaScript\n\n// Secure approach\nconst pathname = req.path; \nif (pathname.startsWith(\u0027/socket.io/\u0027)) return next();\n```\n\nThis issue affects only setups where Node-RED is enabled.",
  "id": "GHSA-p69w-mmfv-xrfj",
  "modified": "2026-05-26T23:40:42Z",
  "published": "2026-05-26T23:40:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-p69w-mmfv-xrfj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frangoteam/FUXA"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FUXA Vulnerable to Pre-auth RCE via Path Manipulation \u0026 Configuration Injection"
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.