CWE-912
Hidden Functionality
Description
The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-133 · CAPEC-190
CVEs mapped to this weakness (36)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-34117 | Cri | 0.68 | — | 0.23 | Jul 16, 2025 | A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 due to the presence of an undocumented backdoor listener on UDP port 53413. Exact version boundaries remain undocumented. An unauthenticated… | ||
| CVE-2026-41446 | Cri | 0.64 | 9.8 | 0.00 | Apr 28, 2026 | Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with… | ||
| CVE-2026-1952 | Cri | 0.64 | 9.8 | 0.00 | Apr 24, 2026 | Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability. | ||
| CVE-2026-33280 | Cri | 0.64 | 9.8 | 0.00 | Mar 27, 2026 | Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, resulting in the execution of arbitrary OS commands. | ||
| CVE-2024-5514 | Cri | 0.64 | 9.8 | 0.01 | May 30, 2024 | MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend… | ||
| CVE-2025-11544 | — | Cri | 0.62 | — | 0.00 | Dec 22, 2025 | Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized firmware. | |
| CVE-2024-10773 | — | Cri | 0.59 | 9.0 | 0.01 | Dec 6, 2024 | The product is vulnerable to pass-the-hash attacks in combination with hardcoded credentials of hidden user levels. This means that an attacker can log in with the hidden user levels and gain full access to the device. | |
| CVE-2024-3016 | Cri | 0.59 | 9.1 | 0.01 | May 14, 2024 | NEC Platforms DT900 and DT900S Series 5.0.0.0 – v5.3.4.4, v5.4.0.0 – v5.6.0.20 allows an attacker to access a non-documented the system settings to change settings via local network with unauthenticated user. | ||
| CVE-2024-6045 | — | Hig | 0.58 | 8.8 | 0.06 | Jun 17, 2024 | Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained… | |
| CVE-2026-31847 | Hig | 0.57 | 8.8 | 0.00 | Mar 23, 2026 | Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an… | ||
| CVE-2025-30064 | — | Hig | 0.57 | — | 0.00 | Aug 27, 2025 | An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService… | |
| CVE-2024-47001 | Hig | 0.57 | 8.8 | 0.01 | Sep 18, 2024 | Hidden functionality issue in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings. | ||
| CVE-2025-48416 | — | Hig | 0.53 | 8.1 | 0.01 | May 21, 2025 | An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the "/etc/shadow" file in the firmware image for the "root" user. However, in the default SSH configuration the "PermitRootLogin" is disabled, preventing the root user from logging in via SSH. This… | |
| CVE-2025-1204 | Hig | 0.50 | — | 0.00 | Feb 25, 2025 | The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an… | ||
| CVE-2025-0675 | — | Hig | 0.49 | 7.5 | 0.00 | Feb 7, 2025 | Multiple Elber products suffer from an unauthenticated device configuration and client-side hidden functionality disclosure. | |
| CVE-2025-0626 | — | Hig | 0.49 | 7.5 | 0.01 | Jan 30, 2025 | The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by… | |
| CVE-2024-5633 | Hig | 0.49 | — | 0.01 | Jul 9, 2024 | Longse model LBH30FE200W cameras, as well as products based on this device, provide an unrestricted access for an attacker located in the same local network to an undocumented binary service CoolView on one of the ports. An attacker with a knowledge of the available commands… | ||
| CVE-2024-22044 | Hig | 0.49 | 7.5 | 0.01 | Mar 12, 2024 | A vulnerability has been identified in SENTRON 3KC ATC6 Expansion Module Ethernet (3KC9000-8TL75) (All versions). Affected devices expose an unused, unstable http service at port 80/tcp on the Modbus-TCP Ethernet. This could allow an attacker on the same Modbus network to create… | ||
| CVE-2026-7413 | Hig | 0.47 | 7.2 | 0.01 | May 7, 2026 | A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary… | ||
| CVE-2025-58778 | Hig | 0.47 | 7.2 | 0.01 | Oct 16, 2025 | Multiple versions of RG-EST300 provided by Ruijie Networks provide SSH server functionality. It is not documented in the manual, and enabled in the initial configuration. Anyone with the knowledge of the related credentials can log in to the affected device, leading to… |
- risk 0.68cvss —epss 0.23
A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 due to the presence of an undocumented backdoor listener on UDP port 53413. Exact version boundaries remain undocumented. An unauthenticated…
- risk 0.64cvss 9.8epss 0.00
Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with…
- risk 0.64cvss 9.8epss 0.00
Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.
- risk 0.64cvss 9.8epss 0.00
Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to gain access to the product’s debugging functionality, resulting in the execution of arbitrary OS commands.
- risk 0.64cvss 9.8epss 0.01
MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend…
- risk 0.62cvss —epss 0.00
Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized firmware.
- risk 0.59cvss 9.0epss 0.01
The product is vulnerable to pass-the-hash attacks in combination with hardcoded credentials of hidden user levels. This means that an attacker can log in with the hidden user levels and gain full access to the device.
- risk 0.59cvss 9.1epss 0.01
NEC Platforms DT900 and DT900S Series 5.0.0.0 – v5.3.4.4, v5.4.0.0 – v5.6.0.20 allows an attacker to access a non-documented the system settings to change settings via local network with unauthenticated user.
- risk 0.58cvss 8.8epss 0.06
Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained…
- risk 0.57cvss 8.8epss 0.00
Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an…
- risk 0.57cvss —epss 0.00
An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService…
- risk 0.57cvss 8.8epss 0.01
Hidden functionality issue in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.
- risk 0.53cvss 8.1epss 0.01
An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the "/etc/shadow" file in the firmware image for the "root" user. However, in the default SSH configuration the "PermitRootLogin" is disabled, preventing the root user from logging in via SSH. This…
- risk 0.50cvss —epss 0.00
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an…
- risk 0.49cvss 7.5epss 0.00
Multiple Elber products suffer from an unauthenticated device configuration and client-side hidden functionality disclosure.
- risk 0.49cvss 7.5epss 0.01
The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by…
- risk 0.49cvss —epss 0.01
Longse model LBH30FE200W cameras, as well as products based on this device, provide an unrestricted access for an attacker located in the same local network to an undocumented binary service CoolView on one of the ports. An attacker with a knowledge of the available commands…
- risk 0.49cvss 7.5epss 0.01
A vulnerability has been identified in SENTRON 3KC ATC6 Expansion Module Ethernet (3KC9000-8TL75) (All versions). Affected devices expose an unused, unstable http service at port 80/tcp on the Modbus-TCP Ethernet. This could allow an attacker on the same Modbus network to create…
- risk 0.47cvss 7.2epss 0.01
A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary…
- risk 0.47cvss 7.2epss 0.01
Multiple versions of RG-EST300 provided by Ruijie Networks provide SSH server functionality. It is not documented in the manual, and enabled in the initial configuration. Anyone with the knowledge of the related credentials can log in to the affected device, leading to…