Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1191 — Vulnerability Class 12

12 vulnerabilities classified as CWE-1191. AI Chinese analysis included.

CWE-1191 represents a critical hardware security weakness where on-chip debug and test interfaces, such as JTAG, lack proper access control mechanisms. This flaw allows unauthorized entities to bypass authentication checks and directly access internal registers or enter test modes through physical connections. Attackers typically exploit this vulnerability by connecting to exposed debug pins to extract sensitive intellectual property, reverse-engineer firmware, or manipulate device behavior for malicious purposes. To mitigate this risk, developers must implement robust hardware-enforced access controls, ensuring that debug interfaces are disabled in production builds or require strong cryptographic authentication before granting access. Additionally, employing secure boot processes and physically securing device ports further reduces the attack surface, preventing unauthorized individuals from leveraging these low-level interfaces to compromise system integrity and confidentiality.

MITRE CWE Description
The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface. A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present. If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface. Sometimes, designers choose not to expose the debug pins on the motherboard. Instead, they choose to hide these pins in the intermediate layers of the board. This is primarily done to work around the lack of debug authorization inside the chip. In such a scenario (without debug authorization), when the debug interface is exposed, chip internals are accessible to an attacker.
Common Consequences (6)
ConfidentialityRead Application Data
ConfidentialityRead Memory
AuthorizationExecute Unauthorized Code or Commands
IntegrityModify Memory
IntegrityModify Application Data
Mitigations (1)
Architecture and DesignIf feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.
Effectiveness: High
Examples (2)
A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack.
If the JTAG interface on this device is not hidden by the manufacturer, the interface may be identified using tools such as JTAGulator. If it is hidden but not disabled, it can be exposed by physically wiring to the board. By issuing a "halt" command before the OS starts, the unauthorized user pauses the watchdog timer and prevents the router from restarting (once the watchdog timer would have expired). Having paused the router, an unauthorized user is able to execute code and inspect and modify data in the device, even extracting all of the router's firmware. This allows the user to examine t
Bad · Other
In order to prevent exposing the debugging interface, manufacturers might try to obfuscate the JTAG interface or blow device internal fuses to disable the JTAG interface. Adding authentication and authorization to this interface makes use by unauthorized individuals much more difficult.
Good · Other
The following example code is a snippet from the JTAG wrapper module in the RISC-V debug module of the HACK@DAC'21 Openpiton SoC [REF-1355]. To make sure that the JTAG is accessed securely, the developers have included a primary authentication mechanism based on a password.
... PassChkValid: begin if(hashValid) begin if(exp_hash == pass_hash) begin pass_check = 1'b1; end else begin pass_check = 1'b0; end state_d = Idle; end else begin state_d = PassChkValid; end end ...
Bad · Verilog
... case (state_q) Idle: begin ... else if ( (dm::dtm_op_e'(dmi.op) == dm::DTM_PASS) && (miss_pass_check_cnt_q != 2'b11) ) begin state_d = Write; pass_mode = 1'b1; end ... end ... PassChkValid: begin if(hashValid) begin if(exp_hash == pass_hash) begin pass_check = 1'b1; end else begin pass_check = 1'b0; miss_pass_check_cnt_d = miss_pass_check_cnt_q + 1 end state_d = Idle; end else begin state_d = PassChkValid; end end ...
Good · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2024-36319 AMD多款产品 安全漏洞 — AMD Ryzen™ 7040 Series Mobile Processors with Radeon™ Graphics; AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics 9.8AICriticalAI2026-02-12
CVE-2025-52533 AMD Processors 安全漏洞 — AMD EPYC™ 7003 Series Processors 6.7AIMediumAI2026-02-12
CVE-2025-15083 TOZED ZLT M30s UART on-chip debug and test interface with improper access control — ZLT M30s 2.0 Low2025-12-25
CVE-2025-12114 Serial Console Enabled — BLU-IC2 6.5AIMediumAI2025-10-23
CVE-2025-9709 NRF52810 Runtime EM Fault Injection APPROTECT Bypass — nRF52810 6.1AIMediumAI2025-09-05
CVE-2025-7213 FNKvision FNK-GU2 UART Interface on-chip debug and test interface with improper access control — FNK-GU2 6.4 Medium2025-07-09
CVE-2025-47822 Flock Safety LPR 安全漏洞 — License Plate Reader 6.4 Medium2025-06-27
CVE-2025-47819 Flock Safety Gunshot Detection 安全漏洞 — Gunshot Detection devices 6.4 Medium2025-06-27
CVE-2025-26408 Unprotected JTAG Interface — Wattsense Bridge 6.8 -2025-02-11
CVE-2024-48970 Life2000 Ventilator microcontroller lacks memory protection — Life2000 Ventilation System 9.3 Critical2024-11-14
CVE-2024-41692 Incorrect Access Control Vulnerability — SyroTech SY-GPON-1110-WDONT router 6.8 -2024-07-26
CVE-2024-4231 Incorrect Access Control Vulnerability in Digisol Router — Digisol Router DG-GR1321 3.9 -2024-05-10

Vulnerabilities classified as CWE-1191 represent 12 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.