VYPR

CWE-912

Hidden Functionality

ClassIncomplete

Description

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.

Hidden functionality can take many forms, such as intentionally malicious code, "Easter Eggs" that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the product's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-133 · CAPEC-190

CVEs mapped to this weakness (36)

page 2 of 2
  • CVE-2025-11673HigOct 13, 2025
    risk 0.47cvss 7.2epss 0.01

    SOOP-CLM developed by PiExtract has a Hidden Functionality vulnerability, allowing privileged remote attackers to exploit a hidden functionality to execute arbitrary code on the server.

  • CVE-2024-13062HigJan 2, 2025
    risk 0.47cvss 7.2epss 0.01

    An unintended entry point vulnerability has been identified in certain router models, which may allow for arbitrary command execution. Refer to the ' 01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information.

  • CVE-2025-26412MedJun 11, 2025
    risk 0.44cvss 6.8epss 0.00

    The SIMCom SIM7600G modem supports an undocumented AT command, which allows an attacker to execute system commands with root permission on the modem. An attacker needs either physical access or remote shell access to a device that interacts directly with the modem via AT…

  • CVE-2026-34769HigApr 4, 2026
    risk 0.43cvss 7.7epss 0.00

    Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer…

  • CVE-2025-9382MedAug 24, 2025
    risk 0.42cvss 6.4epss 0.00

    A weakness has been identified in FNKvision Y215 CCTV Camera 10.194.120.40. This vulnerability affects unknown code of the file s1_rf_test_config of the component Telnet Sevice. Executing manipulation can lead to backdoor. The physical device can be targeted for the attack. This…

  • CVE-2018-17919MedOct 10, 2018
    risk 0.42cvss 6.5epss 0.01

    All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server may allow an attacker to use an undocumented user account "default" with its default password to login to XMeye and access/view video streams.

  • CVE-2025-8938MedAug 14, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in TOTOLINK N350R 1.2.3-B20130826. This issue affects the function formSysTel of the file /boafrm/formSysTel of the component Telnet Service. The manipulation of the argument TelEnabled leads to backdoor. The attack may be initiated remotely. The…

  • CVE-2025-6839MedJun 29, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability, which was classified as critical, has been found in Conjure Position Department Service Quality Evaluation System up to 1.0.11. Affected by this issue is the function eval of the file public/assets/less/bootstrap-less/mixins/head.php. The manipulation of the…

  • CVE-2026-4621MedMar 27, 2026
    risk 0.36cvss 5.6epss 0.00

    Hidden Functionality vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to enable telnet via network.

  • CVE-2025-55704MedJan 29, 2026
    risk 0.34cvss 5.3epss 0.00

    Hidden functionality issue exists in multiple MFPs provided by Brother Industries, Ltd., which may allow an attacker to obtain the logs of the affected product and obtain sensitive information within the logs.

  • CVE-2025-55075MedSep 17, 2025
    risk 0.32cvss 4.9epss 0.00

    Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker.

  • CVE-2025-46267MedJul 22, 2025
    risk 0.32cvss 4.9epss 0.00

    Hidden functionality issue exists in WRC-BE36QS-B and WRC-W701-B. If exploited, the product's hidden debug function may be enabled by a remote attacker who can log in to WebGUI.

  • CVE-2024-33583LowMay 14, 2024
    risk 0.21cvss 3.3epss 0.00

    A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating…

  • CVE-2025-62773LowOct 22, 2025
    risk 0.16cvss 2.4epss 0.00

    Mercku M6a devices through 2.1.0 allow TELNET sessions via a router.telnet.enabled.update request by an administrator.

  • CVE-2021-36403Mar 6, 2023
    risk 0.00cvss epss 0.01

    In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.

  • CVE-2021-4229May 24, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the…