CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State
low-riskThe product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.
Abstraction: Base
Common Consequences
Confidentiality
→
Read Memory
Integrity
→
Modify Memory
Authorization
→
Gain Privileges or Assume Identity
Detection Methods
Manual Analysis
Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.
Real-World Examples (9)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2020-5372 | 8.6 | 0.7% | — |
| CVE-2022-32259 | 6.5 | 0.2% | — |
| CVE-2025-42878 | 8.2 | 0.2% | — |
| CVE-2025-23252 | 4.5 | 0.1% | — |
| CVE-2025-23337 | 6.7 | 0.0% | — |
| CVE-2025-23302 | 4.2 | 0.0% | — |
| CVE-2025-23301 | 4.2 | 0.0% | — |
| CVE-2025-20238 | 6.0 | 0.0% | — |
| CVE-2024-0114 | 8.1 | 0.0% | — |
0
/ 100
low-risk
Active Threat
0/50 · Minimal
Exploit Availability
0/50 · Minimal