Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-489 (遗留的调试代码) — Vulnerability Class 62

62 vulnerabilities classified as CWE-489 (遗留的调试代码). AI Chinese analysis included.

CWE-489 represents a critical code quality weakness where software is deployed with active debugging mechanisms still enabled. This flaw typically arises when developers fail to strip diagnostic code before release, leaving behind verbose logging, interactive shells, or memory inspection tools. Attackers exploit these remnants to gain unauthorized access, bypass authentication controls, or extract sensitive data by triggering debug endpoints that were never intended for production environments. To mitigate this risk, developers must enforce strict build configurations that automatically disable all debugging features in release modes. Implementing automated code analysis tools during the continuous integration pipeline helps detect lingering debug statements, while rigorous code reviews ensure that no diagnostic logic persists in the final binary. Ultimately, treating debug code as a security liability rather than a convenience is essential for maintaining application integrity and preventing unintended exposure of internal system states.

MITRE CWE Description
The product is released with debugging code still enabled or active.
Common Consequences (1)
Confidentiality, Integrity, Availability, Access Control, OtherBypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context
Active debug code can create unintended entry points or expose sensitive information. The severity of the exposed debug code will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At wor…
Mitigations (1)
Build and Compilation, DistributionRemove debug code before deploying the application.
Examples (1)
Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass …
<FORM ACTION="/authenticate_login.cgi"> <INPUT TYPE=TEXT name=username> <INPUT TYPE=PASSWORD name=password> <INPUT TYPE=SUBMIT> </FORM>
Bad · HTML
http://TARGET/authenticate_login.cgi?username=...&password=...
Informative
CVE IDTitleCVSSSeverityPublished
CVE-2023-4227 ioLogik 4000 Series: Existence of an Unauthorized Service — ioLogik 4000 Series 5.3 Medium2023-08-24
CVE-2023-0954 Debug feature in Sensormatic Electronics Illustra Dome and PTZ cameras — Illustra Pro Gen 4 Dome 8.3 High2023-06-08
CVE-2023-1618 Authentication Bypass Vulnerability in MELSEC WS Series Ethernet Interface Module — MELSEC WS Series WS0-GETH00200 7.5 High2023-05-19
CVE-2023-21496 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 6.1 Medium2023-05-04
CVE-2022-33323 Authentication Bypass Vulnerability in Robot Controller of MELFA SD/SQ series and F-series — MELFA SD/SQ Series Controller CR1DA-771 of RV-2SD 7.5 High2023-02-02
CVE-2022-38715 Siretta QUARTZ-GOLD 安全漏洞 — QUARTZ-GOLD 8.8 -2023-01-26
CVE-2022-46156 Grafana's default installation of `synthetic-monitoring-agent` exposes sensitive information — synthetic-monitoring-agent 7.2 High2022-11-30
CVE-2022-30543 InHand Networks InRouter302 安全漏洞 — InRouter302 8.8 -2022-11-09
CVE-2022-29888 InHand Networks InRouter302 安全漏洞 — InRouter302 8.1 -2022-11-09
CVE-2022-29481 InHand Networks InRouter302 安全漏洞 — InRouter302 6.5 -2022-11-09
CVE-2022-28689 InHand Networks InRouter302 安全漏洞 — InRouter302 8.8 -2022-11-09
CVE-2022-26023 InHand Networks InRouter302 安全漏洞 — InRouter302 6.5 -2022-11-09
CVE-2022-32760 Abode Iota 安全漏洞 — iota All-In-One Security Kit 7.5 -2022-10-25
CVE-2022-29520 Abode Iota 操作系统命令注入漏洞 — iota All-In-One Security Kit 9.8 -2022-10-25
CVE-2022-38453 Contec Health CMS8000 — CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor 3.0 Low2022-09-13
CVE-2022-32585 Robustel R1510 安全漏洞 — R1510 9.8 -2022-06-30
CVE-2022-25995 InHand Networks InRouter302 安全漏洞 — InRouter302 8.8 -2022-05-12
CVE-2021-3972 Lenovo Notebook 安全漏洞 — Notebook BIOS 6.7 Medium2022-04-22
CVE-2021-3971 Lenovo Notebook 安全漏洞 — Notebook BIOS 6.7 Medium2022-04-22
CVE-2020-25156 B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus — SpaceCom 7.2 High2022-04-14
CVE-2021-40419 Reolink Rlc-410W 安全漏洞 — n/a 7.5 -2022-01-28
CVE-2021-23861 Possible Access to Debug Functions in Bosch VRM / BVMS — BVMS 6.5 Medium2021-12-08
CVE-2021-33591 Naver Comic Viewer 安全漏洞 — Naver Comic Viewer 8.8 -2021-05-28
CVE-2021-1381 Cisco IOS XE Software Active Debug Code Vulnerability — Cisco IOS XE Software 6.1 Medium2021-03-24
CVE-2021-1391 Cisco IOS and IOS XE Software Privilege Escalation Vulnerability — Cisco IOS 5.1 Medium2021-03-24
CVE-2021-1398 Cisco IOS XE Software Arbitrary Code Execution Vulnerability — Cisco IOS XE Software 6.8 Medium2021-03-24
CVE-2020-5763 Grandstream HT800 series 加密问题漏洞 — Grandstream HT800 Series 8.8 -2020-07-29
CVE-2020-5756 Grandstream GWN7000 操作系统命令注入漏洞 — Grandstream GWN7000 8.8 -2020-07-17
CVE-2020-8320 多款Lenovo ThinkPad产品安全漏洞 — BIOS 6.4 Medium2020-06-09
CVE-2019-10939 多款Siemens产品安全漏洞 — TIM 3V-IE (incl. SIPLUS NET variants) 9.1 -2020-04-14

Vulnerabilities classified as CWE-489 (遗留的调试代码) represent 62 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.