CWE-1384
Improper Handling of Physical or Environmental Conditions
The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.
CVE-2024-39355 (GCVE-0-2024-39355)
Vulnerability from cvelistv5 – Published: 2025-02-12 21:19 – Updated: 2025-11-03 20:38
VLAI
Summary
Improper handling of physical or environmental conditions in some Intel(R) Processors may allow an authenticated user to enable denial of service via local access.
Severity
6.5 (Medium)
CWE
- Denial of Service
- CWE-1384 - Improper Handling of Physical or Environmental Conditions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Intel(R) Processors |
Affected:
See references
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T15:12:11.833665Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T15:12:23.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:38:16.990Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Intel(R) Processors",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "See references"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper handling of physical or environmental conditions in some Intel(R) Processors may allow an authenticated user to enable denial of service via local access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en"
},
{
"cweId": "CWE-1384",
"description": "Improper Handling of Physical or Environmental Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T21:19:39.378Z",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2024-39355",
"datePublished": "2025-02-12T21:19:39.378Z",
"dateReserved": "2024-08-15T03:00:10.598Z",
"dateUpdated": "2025-11-03T20:38:16.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52557 (GCVE-0-2025-52557)
Vulnerability from cvelistv5 – Published: 2025-06-21 01:42 – Updated: 2025-06-23 17:41
VLAI
Title
Mail-0 Zero Session Hijacking Via Email
Summary
Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81.
Severity
CWE
- CWE-1384 - Improper Handling of Physical or Environmental Conditions
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Mail-0/Zero/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/Mail-0/Zero/pull/1386 | x_refsource_MISC |
| https://github.com/Mail-0/Zero/commit/48d1df65b62… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T17:41:13.338469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T17:41:29.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Zero",
"vendor": "Mail-0",
"versions": [
{
"status": "affected",
"version": "= 0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mail-0\u0027s Zero is an open-source email solution. In version 0.8 it\u0027s possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1384",
"description": "CWE-1384: Improper Handling of Physical or Environmental Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-21T01:42:23.004Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mail-0/Zero/security/advisories/GHSA-34gh-g567-hq85",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mail-0/Zero/security/advisories/GHSA-34gh-g567-hq85"
},
{
"name": "https://github.com/Mail-0/Zero/pull/1386",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mail-0/Zero/pull/1386"
},
{
"name": "https://github.com/Mail-0/Zero/commit/48d1df65b62c9c57897b72b241081f447140342f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mail-0/Zero/commit/48d1df65b62c9c57897b72b241081f447140342f"
}
],
"source": {
"advisory": "GHSA-34gh-g567-hq85",
"discovery": "UNKNOWN"
},
"title": "Mail-0 Zero Session Hijacking Via Email"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52557",
"datePublished": "2025-06-21T01:42:23.004Z",
"dateReserved": "2025-06-18T03:55:52.035Z",
"dateUpdated": "2025-06-23T17:41:29.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-49325 (GCVE-0-2026-49325)
Vulnerability from cvelistv5 – Published: 2026-05-29 12:37 – Updated: 2026-05-29 15:27
VLAI
Title
Indian Scout Bobber 2025 WCM voltage-based shutdown
Summary
Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation.
Severity
4.6 (Medium)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cwe.mitre.org/data/definitions/1384.html | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Indian Motorcycle (Polaris Inc.) | Scout Bobber + Tech |
Affected:
2025
(model-year)
|
Date Public
2026-05-29 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T15:27:10.878359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T15:27:16.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Wireless Control Module (WCM)",
"Vehicle Control Module (VCM)"
],
"platforms": [
"OEM Motorcycle"
],
"product": "Scout Bobber + Tech",
"vendor": "Indian Motorcycle (Polaris Inc.)",
"versions": [
{
"status": "affected",
"version": "2025",
"versionType": "model-year"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Sheahan, Rustic Security LLC"
}
],
"datePublic": "2026-05-29T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider\u0027s PIN. Specific connector details have been withheld pending vendor remediation.\u003c/p\u003e"
}
],
"value": "Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider\u0027s PIN. Specific connector details have been withheld pending vendor remediation."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Physically Hacking Hardware"
}
]
},
{
"descriptions": [
{
"lang": "en",
"value": "Hardware Fault Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1384",
"description": "CWE-1384 Improper Handling of Physical or Environmental Conditions",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T12:37:41.867Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/1384.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUse a positive-validation heartbeat: the receiving ECU should require a periodic rising-edge or signed message from the WCM and treat its absence as the shutdown command (fail-secure). Combine with CAN-A liveness validation. Add tamper-evident sealing on the WCM connector.\u003c/p\u003e"
}
],
"value": "Use a positive-validation heartbeat: the receiving ECU should require a periodic rising-edge or signed message from the WCM and treat its absence as the shutdown command (fail-secure). Combine with CAN-A liveness validation. Add tamper-evident sealing on the WCM connector."
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-26T00:00:00.000Z",
"value": "Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)"
}
],
"title": "Indian Scout Bobber 2025 WCM voltage-based shutdown",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2026-49325",
"datePublished": "2026-05-29T12:37:41.867Z",
"dateReserved": "2026-05-29T07:26:43.199Z",
"dateUpdated": "2026-05-29T15:27:16.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Requirements
Description:
- In requirements, be specific about expectations for how the product will perform when it exceeds physical and environmental boundary conditions, e.g., by shutting down.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Where possible, include independent components that can detect excess environmental conditions and have the capability to shut down the product.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Where possible, use shielding or other materials that can increase the adversary's workload and reduce the likelihood of being able to successfully trigger a security-related failure.
No CAPEC attack patterns related to this CWE.