CWE-1245: Improper Finite State Machines (FSMs) in Hardware Logic
Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.
Last updated
Overview
The functionality and security of the system heavily depend on the implementation of FSMs. FSMs can be used to indicate the current security state of the system. Lots of secure data operations and data transfers rely on the state reported by the FSM.
Real-world CVEs
5 recorded CVEs are caused by CWE-1245 (Improper Finite State Machines (FSMs) in Hardware Logic). The highest-severity and most recent are shown first. 1 new CWE-1245 CVE has been recorded so far in 2026 (2 in 2025).
- CVE-2024-58311
Dormakaba Saflok System 6000 Key Generation Cryptographic Weakness
High · CVSS 8.7 · EPSS 31th2025-12-12 - CVE-2025-48508Medium · CVSS 6.0 · EPSS 5th2026-02-11
- CVE-2024-21853Medium · CVSS 5.7 · EPSS 10th2024-11-13
- CVE-2024-31068Medium · CVSS 5.6 · EPSS 12th2025-02-12
- CVE-2024-24968Medium · CVSS 5.6 · EPSS 8th2024-09-16
Common consequences
What can happen when CWE-1245 is exploited.
Unexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Gain Privileges or Assume Identity
Affects: Availability, Access Control
Faulty FSM designs that do not account for all states, either through undefined states (left as don't cares) or through incorrect implementation, might lead an attacker to drive the system into an unstable state from which the system cannot recover without a reset, thus causing a DoS. Depending on what the FSM is used for, an attacker might also gain additional privileges to launch further attacks and compromise the security guarantees.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1245, grouped by where in the lifecycle they apply.
Define all possible states and handle all unused states through default statements. Ensure that system defaults to a secure state.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The Finite State Machine (FSM) shown in the "bad" code snippet below assigns the output ("out") based on the value of state, which is determined based on the user provided input ("user_input").
Vulnerable example
module fsm_1(out, user_input, clk, rst_n);Safe example
case (user_input)The case statement does not include a default to handle the scenario when the user provides inputs of 3'h6 and 3'h7. Those inputs push the system to an undefined state and might cause a crash (denial of service) or any other unanticipated outcome.
Adding a default statement to handle undefined inputs mitigates this issue. This is shown in the "Good" code snippet below. The default statement is in bold.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1245.
- What is CWE-1245?
- Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.
- What CVEs are caused by CWE-1245?
- 5 recorded CVEs are attributed to CWE-1245, including CVE-2024-58311, CVE-2025-48508, CVE-2024-21853.
- How do you prevent CWE-1245?
- Define all possible states and handle all unused states through default statements. Ensure that system defaults to a secure state.
- What are the consequences of CWE-1245?
- Exploiting CWE-1245 can lead to: Unexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Gain Privileges or Assume Identity.
- Is CWE-1245 actively exploited?
- 5 recorded CVEs are caused by CWE-1245; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1245) (opens in a new tab)
- CWE-1245 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1245
Get alerted the moment a new CWE-1245 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.