VYPR

CWE-1263

Improper Physical Access Control

ClassIncomplete

Description

The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.

Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how robust the design of the physical protection mechanism needs to be depends on the type of product being protected. Selecting the correct physical protection mechanism and properly enforcing it through implementation and manufacturing are critical to the overall physical security of the product.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-401

CVEs mapped to this weakness (8)

  • CVE-2024-48973CriNov 14, 2024
    risk 0.60cvss 9.3epss 0.00

    The debug port on the ventilator's serial interface is enabled by default. This could allow an attacker to send and receive messages over the debug port (which are unencrypted; see 3.2.1) that result in unauthorized disclosure of information and/or have unintended impacts on…

  • CVE-2023-38290HigApr 22, 2024
    risk 0.51cvss 7.8epss 0.00

    Certain software builds for the BLU View 2 and Sharp Rouvo V Android devices contain a vulnerable pre-installed app with a package name of com.evenwell.fqc (versionCode='9020801', versionName='9.0208.01' ; versionCode='9020913', versionName='9.0209.13' ; versionCode='9021203',…

  • CVE-2024-36438HigJul 15, 2024
    risk 0.47cvss 7.3epss 0.00

    eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks.

  • CVE-2025-4386MedMay 7, 2026
    risk 0.44cvss 6.8epss 0.00

    Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal.​

  • CVE-2025-8762MedAug 13, 2025
    risk 0.44cvss 6.8epss 0.00

    A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper physical access control. It is possible to launch the attack on the physical device. The exploit has…

  • CVE-2024-28326MedApr 26, 2024
    risk 0.44cvss 6.8epss 0.00

    Incorrect Access Control in ASUS RT-N12+ B1 and RT-N12 D1 routers allows local attackers to obtain root terminal access via the the UART interface.

  • CVE-2022-32506MedMay 14, 2024
    risk 0.42cvss 6.4epss 0.00

    An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to the circuit board could use the SWD debug features to control the execution of code on the processor and debug the firmware, as well as read or alter the content of the internal…

  • CVE-2025-6785MedSep 4, 2025
    risk 0.31cvss epss 0.00

    Securing externally available CAN wires can easily allow physical access to the CAN bus, allowing possible injection of specially formed CAN messages to control remote start functions of the vehicle.  Testing completed on Tesla Model 3 vehicles with software version v11.1…