VYPR

CWE-489

Active Debug Code

BaseDraft

Description

The product is released with debugging code still enabled or active.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-121 · CAPEC-661

CVEs mapped to this weakness (25)

page 1 of 2
  • CVE-2026-49188CriJun 4, 2026
    risk 0.64cvss 9.8epss 0.00

    The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands.

  • CVE-2024-46873CriDec 23, 2024
    risk 0.64cvss 9.8epss 0.01

    Multiple SHARP routers leave the hidden debug function enabled. An arbitrary OS command may be executed with the root privilege by a remote unauthenticated attacker.

  • CVE-2017-5259HigDec 20, 2017
    risk 0.63cvss 8.8epss 0.39

    In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https:///adm/syscmd.asp.

  • CVE-2026-40035CriApr 8, 2026
    risk 0.59cvss 9.1epss 0.01

    Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing…

  • CVE-2025-4106HigOct 24, 2025
    risk 0.58cvss epss 0.00

    An authenticated admin user with access to both the management WebUI and command line interface on a Firebox can enable a diagnostic debug shell by uploading a platform and version-specific diagnostic package and executing a leftover diagnostic command. This issue affects…

  • CVE-2024-31406HigApr 24, 2024
    risk 0.57cvss 8.8epss 0.00

    Active debug code vulnerability exists in RoamWiFi R10 prior to 4.8.45. If this vulnerability is exploited, a network-adjacent unauthenticated attacker with access to the device may perform unauthorized operations.

  • CVE-2022-20649HigNov 15, 2024
    risk 0.54cvss 8.1epss 0.12

    A vulnerability in Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container. This vulnerability exists because…

  • CVE-2018-5454HigMar 26, 2018
    risk 0.53cvss 8.1epss 0.04

    Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have a vulnerability where code debugging methods are enabled, which could allow an attacker to remotely execute arbitrary code during runtime.

  • CVE-2025-64983HigNov 26, 2025
    risk 0.52cvss 8.0epss 0.00

    Smart Video Doorbell firmware versions prior to 2.01.078 contain an active debug code vulnerability that allows an attacker to connect via Telnet and gain access to the device.

  • CVE-2025-30185HigNov 11, 2025
    risk 0.51cvss 7.9epss 0.00

    Active debug code for some Intel UEFI reference platforms within Ring 0: Kernel may allow a denial of service and escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable data alteration. This result may…

  • CVE-2022-33971HigJul 4, 2022
    risk 0.49cvss 7.5epss 0.01

    Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and…

  • CVE-2025-52663HigOct 31, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in certain UniFi Talk devices where internal debugging functionality remained unintentionally enabled. This issue could allow an attacker with access to the UniFi Talk management network to invoke internal debug operations through the device API. …

  • CVE-2025-15017HigDec 31, 2025
    risk 0.46cvss epss 0.00

    A vulnerability exists in serial device servers where active debug code remains enabled in the UART interface. An attacker with physical access to the device can directly connect to the UART interface and, without authentication, user interaction, or execution conditions, gain…

  • CVE-2025-7705MedJul 22, 2025
    risk 0.44cvss 6.8epss 0.00

    : Active Debug Code vulnerability in ABB Switch Actuator 4 DU-83330, ABB Switch actuator, door/light 4 DU -83330-500.This issue affects Switch Actuator 4 DU-83330: All Versions; Switch actuator, door/light 4 DU -83330-500: All Versions.

  • CVE-2024-53648MedFeb 11, 2025
    risk 0.44cvss 6.8epss 0.00

    A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.90), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions < V9.90), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions < V9.90), SIPROTEC 5…

  • CVE-2024-41999MedSep 30, 2024
    risk 0.44cvss 6.8epss 0.00

    Smart-tab Android app installed April 2023 or earlier contains an active debug code vulnerability. If this vulnerability is exploited, an attacker with physical access to the device may exploit the debug function to gain access to the OS functions, escalate the privilege, change…

  • CVE-2024-7756MedSep 13, 2024
    risk 0.44cvss 6.8epss 0.00

    A potential vulnerability was reported in the ThinkPad L390 Yoga and 10w Notebook that could allow a local attacker to escalate privileges by accessing an embedded UEFI shell.

  • CVE-2026-9133HigMay 20, 2026
    risk 0.43cvss 7.7epss 0.00

    Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file…

  • CVE-2026-45728HigMay 26, 2026
    risk 0.42cvss 7.5epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or…

  • CVE-2025-42872MedDec 9, 2025
    risk 0.40cvss 6.1epss 0.00

    Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal, an unauthenticated attacker could inject malicious scripts that execute in the context of other users� browsers, allowing the attacker to steal session cookies, tokens, and other sensitive…