CWE-1191
On-Chip Debug and Test Interface With Improper Access Control
Extended description
A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present. If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface. Sometimes, designers choose not to expose the debug pins on the motherboard. Instead, they choose to hide these pins in the intermediate layers of the board. This is primarily done to work around the lack of debug authorization inside the chip. In such a scenario (without debug authorization), when the debug interface is exposed, chip internals are accessible to an attacker.
Common consequences6
- ConfidentialityRead Application Data
- ConfidentialityRead Memory
- AuthorizationExecute Unauthorized Code or Commands
- IntegrityModify Memory
- IntegrityModify Application Data
- Access ControlBypass Protection Mechanism
Potential mitigations1
- Architecture and DesignHigh
If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.
Relationships1
- ChildOfCWE-284
CVEs referencing this CWE20
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2024-4231 | This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by identifying UART pins and accessing the root shell on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system. | MEDIUM4.6 | 0.56%p42 | PoC | 2026-04-15 |
| CVE-2022-43096 | Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port. | MEDIUM6.8 | 0.54%p41 | PoC | 2025-04-30 |
| CVE-2020-9285 | Some versions of Sonos One (1st and 2nd generation) allow partial or full memory access via attacker controlled hardware that can be attached to the Mini-PCI Express slot on the motherboard that hosts the WiFi card on the device. | MEDIUM6.8 | 0.47%p37 | 2025-05-08 | |
| CVE-2025-65821 | As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive information such as details about the current and previous Wi-Fi network from the NVS partition. Additionally, this allows the adversary to reflash the device with their own firmware which may contain malicious modifications. | HIGH7.5 | 0.31%p22 | 2026-01-21 | |
| CVE-2025-26409 | A serial interface can be accessed with physical access to the PCB of Wattsense Bridge devices. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device. This issue is fixed in recent firmware versions BSP >= 6.4.1. | MEDIUM6.8 | 0.31%p23 | 2026-04-15 | |
| CVE-2025-26408 | The JTAG interface of Wattsense Bridge devices can be accessed with physical access to the PCB. After connecting to the interface, full access to the device is possible. This enables an attacker to extract information, modify and debug the device's firmware. All known versions are affected. | MEDIUM6.1 | 0.28%p19 | 2026-04-15 | |
| CVE-2025-52533 | Improper Access Control in an on-chip debug interface could allow a privileged attacker to enable a debug interface and potentially compromise data confidentiality or integrity. | NONE | 0.27%p18 | 2026-04-15 | |
| CVE-2024-41692 | This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by accessing the root shell on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary commands with root privileges on the targeted system. | NONE | 0.27%p19 | 2026-04-15 | |
| CVE-2025-15083 | A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | MEDIUM4.6 | 0.23%p13 | 2026-04-29 | |
| CVE-2025-9709 | On-Chip Debug and Test Interface With Improper Access Control and Improper Protection against Electromagnetic Fault Injection (EM-FI) in Nordic Semiconductor nRF52810 allow attacker to perform EM Fault Injection and bypass APPROTECT at runtime, requiring the least amount of modification to the hardware system possible. | NONE | 0.22%p12 | 2026-04-15 | |
| CVE-2025-47819 | Flock Safety Gunshot Detection devices before 1.3 have an on-chip debug interface with improper access control. | MEDIUM6.8 | 0.22%p12 | 2025-10-24 | |
| CVE-2025-47822 | Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have an on-chip debug interface with improper access control. | MEDIUM6.8 | 0.21%p11 | 2025-10-23 | |
| CVE-2024-48970 | The ventilator's microcontroller lacks memory protection. An attacker could connect to the internal JTAG interface and read or write to flash memory using an off-the-shelf debugging tool, which could disrupt the function of the device and/or cause unauthorized information disclosure. | CRITICAL9.3 | 0.21%p12 | 2026-04-15 | |
| CVE-2025-65822 | The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. By leaving JTAG enabled on an ESP32 in a commercial product an attacker with physical access to the device can connect over this port and reflash the device's firmware with malicious code which will be executed upon running. As a result, the victim will lose access to the functionality of their device and the attack may gain unauthorized access to the victim's Wi-Fi network by re-connecting to the SSID defined in the NVS partition of the device. | MEDIUM6.8 | 0.18%p7 | 2026-01-21 | |
| CVE-2025-7213 | A vulnerability classified as critical has been found in FNKvision FNK-GU2 up to 40.1.7. Affected is an unknown function of the component UART Interface. The manipulation leads to on-chip debug and test interface with improper access control. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | MEDIUM6.4 | 0.16%p6 | 2026-04-29 | |
| CVE-2025-48468 | Successful exploitation of the vulnerability could allow an attacker that has physical access to interface with JTAG to inject or modify firmware. | MEDIUM6.4 | 0.16%p6 | 2025-07-09 | |
| CVE-2023-32666 | On-chip debug and test interface with improper access control in some 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. | HIGH7.2 | 0.15%p5 | 2026-04-15 | |
| CVE-2025-36755 | The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions. Researchers demonstrated that, after cicumventing the device’s protective enclosure, it was possible to connect a USB keyboard and press ESC during boot to access the BIOS setup interface. BIOS settings could be viewed but not modified. This behavior slightly increases the attack surface by exposing internal system information (CWE-1244) once the enclosure is removed, but does not allow integrity or availability compromise under standard or tested configurations. | NONE | 0.14%p4 | 2026-04-15 | |
| CVE-2024-36319 | Debug code left active in AMD's Video Decoder Engine Firmware (VCN FW) could allow a attacker to submit a maliciously crafted command causing the VCN FW to perform read/writes HW registers, potentially impacting confidentiality, integrity and availabilability of the system. | NONE | 0.13%p3 | 2026-04-15 | |
| CVE-2025-12114 | Enabled serial console could potentially leak information that might help attacker to find vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | MEDIUM5.5 | 0.09%p1 | 2025-11-10 |