CWE-489
AllowedActive Debug Code
Abstraction: Base · Status: Draft
The product is released with debugging code still enabled or active.
141 vulnerabilities reference this CWE, most recent first.
GHSA-M27Q-CMFX-VGVC
Vulnerability from github – Published: 2024-09-30 09:30 – Updated: 2024-09-30 09:30Smart-tab Android app installed April 2023 or earlier contains an active debug code vulnerability. If this vulnerability is exploited, an attacker with physical access to the device may exploit the debug function to gain access to the OS functions, escalate the privilege, change the device's settings, or spoof devices in other rooms.
{
"affected": [],
"aliases": [
"CVE-2024-41999"
],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-30T08:15:03Z",
"severity": "MODERATE"
},
"details": "Smart-tab Android app installed April 2023 or earlier contains an active debug code vulnerability. If this vulnerability is exploited, an attacker with physical access to the device may exploit the debug function to gain access to the OS functions, escalate the privilege, change the device\u0027s settings, or spoof devices in other rooms.",
"id": "GHSA-m27q-cmfx-vgvc",
"modified": "2024-09-30T09:30:46Z",
"published": "2024-09-30T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41999"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN42445661"
},
{
"type": "WEB",
"url": "https://tsc-soft.co.jp/smart-tab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M59H-42JF-CPHR
Vulnerability from github – Published: 2026-03-23 20:25 – Updated: 2026-03-30 13:55Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function.
This issue was mitigated in versions 3.7.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behaviour using a new enablePlaygroundWhenDevModeDisabled that defaults to false.
References:
- https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475
- https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "putyourlightson/craft-sprig"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.15.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "putyourlightson/craft-sprig"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27131"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-489"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-23T20:25:37Z",
"nvd_published_at": "2026-03-23T20:16:25Z",
"severity": "MODERATE"
},
"details": "Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function.\n\nThis issue was mitigated in versions 3.7.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behaviour using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.\n\nReferences:\n\n- https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475\n- https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b",
"id": "GHSA-m59h-42jf-cphr",
"modified": "2026-03-30T13:55:55Z",
"published": "2026-03-23T20:25:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27131"
},
{
"type": "WEB",
"url": "https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b"
},
{
"type": "WEB",
"url": "https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475"
},
{
"type": "PACKAGE",
"url": "https://github.com/putyourlightson/craft-sprig"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground"
}
GHSA-MFGM-XVXW-J43W
Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-09 18:31Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production. An attacker could request for ADB authorization and gain root level privileges if the victim allows access.
{
"affected": [],
"aliases": [
"CVE-2026-58378"
],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T18:16:54Z",
"severity": "HIGH"
},
"details": "Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production. An attacker could request for ADB authorization and gain root level privileges if the victim allows access.",
"id": "GHSA-mfgm-xvxw-j43w",
"modified": "2026-07-09T18:31:53Z",
"published": "2026-07-09T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58378"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-190-03.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-58378"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MJ3F-8797-C7R5
Vulnerability from github – Published: 2025-05-30 21:30 – Updated: 2025-05-30 21:30An open debug interface was reported in the Legion Space software included on certain Legion devices that could allow a local attacker to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2025-1479"
],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-30T20:15:32Z",
"severity": "MODERATE"
},
"details": "An open debug interface was reported in the Legion Space software included on certain Legion devices that could allow a local attacker to execute arbitrary code.",
"id": "GHSA-mj3f-8797-c7r5",
"modified": "2025-05-30T21:30:57Z",
"published": "2025-05-30T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1479"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-186929"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PVCW-Q9RV-W4V9
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2025-04-20 03:50In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https:///adm/syscmd.asp.
{
"affected": [],
"aliases": [
"CVE-2017-5259"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-20T22:29:00Z",
"severity": "HIGH"
},
"details": "In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https://\u003cdevice-ip-or-hostname\u003e/adm/syscmd.asp.",
"id": "GHSA-pvcw-q9rv-w4v9",
"modified": "2025-04-20T03:50:21Z",
"published": "2022-05-13T01:36:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5259"
},
{
"type": "WEB",
"url": "https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7VM-868G-MVQM
Vulnerability from github – Published: 2024-09-13 18:31 – Updated: 2024-09-13 18:31A potential vulnerability was reported in the ThinkPad L390 Yoga and 10w Notebook that could allow a local attacker to escalate privileges by accessing an embedded UEFI shell.
{
"affected": [],
"aliases": [
"CVE-2024-7756"
],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-13T18:15:06Z",
"severity": "MODERATE"
},
"details": "A potential vulnerability was reported in the ThinkPad L390 Yoga and 10w Notebook that could allow a local attacker to escalate privileges by accessing an embedded UEFI shell.",
"id": "GHSA-q7vm-868g-mvqm",
"modified": "2024-09-13T18:31:48Z",
"published": "2024-09-13T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7756"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-165524"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QV7P-C5XP-Q3HH
Vulnerability from github – Published: 2026-03-26 06:30 – Updated: 2026-03-26 06:30Digital Photo Frame GH-WDF10A provided by GREEN HOUSE CO., LTD. contains an active debug code vulnerability. If this vulnerability is exploited, files or configurations on the affected device may be read or written, or arbitrary files may be executed with root privileges.
{
"affected": [],
"aliases": [
"CVE-2026-33201"
],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T05:16:39Z",
"severity": "HIGH"
},
"details": "Digital Photo Frame GH-WDF10A provided by GREEN HOUSE CO., LTD. contains an active debug code vulnerability. If this vulnerability is exploited, files or configurations on the affected device may be read or written, or arbitrary files may be executed with root privileges.",
"id": "GHSA-qv7p-c5xp-q3hh",
"modified": "2026-03-26T06:30:21Z",
"published": "2026-03-26T06:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33201"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN18035227"
},
{
"type": "WEB",
"url": "https://www.green-house.co.jp/note/info_gh-wdf10a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R3R9-V3Q6-HV5J
Vulnerability from github – Published: 2025-12-31 09:30 – Updated: 2025-12-31 09:30A vulnerability exists in serial device servers where active debug code remains enabled in the UART interface. An attacker with physical access to the device can directly connect to the UART interface and, without authentication, user interaction, or execution conditions, gain unauthorized access to internal debug functionality. Exploitation is low complexity and allows an attacker to execute privileged operations and access sensitive system resources, resulting in a high impact to the confidentiality, integrity, and availability of the affected device. No security impact to external or dependent systems has been identified.
{
"affected": [],
"aliases": [
"CVE-2025-15017"
],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-31T08:15:44Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in serial device servers where active debug code remains enabled in the UART interface. An attacker with physical access to the device can directly connect to the UART interface and, without authentication, user interaction, or execution conditions, gain unauthorized access to internal debug functionality. Exploitation is low complexity and allows an attacker to execute privileged operations and access sensitive system resources, resulting in a high impact to the confidentiality, integrity, and availability of the affected device. No security impact to external or dependent systems has been identified.",
"id": "GHSA-r3r9-v3q6-hv5j",
"modified": "2025-12-31T09:30:19Z",
"published": "2025-12-31T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15017"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-257331-cve-2025-15017-active-debug-code-vulnerability-in-serial-device-servers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R4G8-P4X8-42M9
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with high privileges or an unauthenticated attacker with physical access to the device to open a debugging console. The vulnerability is due to insufficient command authorization restrictions. An attacker could exploit this vulnerability by running commands on the hardware platform to open a debugging console. A successful exploit could allow the attacker to access a debugging console.
{
"affected": [],
"aliases": [
"CVE-2021-1381"
],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-24T21:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with high privileges or an unauthenticated attacker with physical access to the device to open a debugging console. The vulnerability is due to insufficient command authorization restrictions. An attacker could exploit this vulnerability by running commands on the hardware platform to open a debugging console. A successful exploit could allow the attacker to access a debugging console.",
"id": "GHSA-r4g8-p4x8-42m9",
"modified": "2022-05-24T17:45:11Z",
"published": "2022-05-24T17:45:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1381"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-XE-BLKH-Ouvrnf2s"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RJG6-Q2FH-X6MJ
Vulnerability from github – Published: 2023-01-17 12:30 – Updated: 2023-01-24 21:30Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication. A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2023-22357"
],
"database_specific": {
"cwe_ids": [
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-17T10:15:00Z",
"severity": "CRITICAL"
},
"details": "Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication. A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution.",
"id": "GHSA-rjg6-q2fh-x6mj",
"modified": "2023-01-24T21:30:28Z",
"published": "2023-01-17T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22357"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU97575890/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Remove debug code before deploying the application.
CAPEC-121: Exploit Non-Production Interfaces
An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.
CAPEC-661: Root/Jailbreak Detection Evasion via Debugging
An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.