CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device

The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data.

CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device

Overview

Common consequences

How it happens

When it is introduced

How to prevent it

Attack patterns

Frequently asked questions

What is CWE-1266?

How do you prevent CWE-1266?

What are the consequences of CWE-1266?

References

Stay ahead of CWE-1266

Overview

Common consequences

How it happens

When it is introduced

How to prevent it

Related weaknesses

Parent

Attack patterns

Frequently asked questions

What is CWE-1266?

How do you prevent CWE-1266?

What are the consequences of CWE-1266?

References

Stay ahead of CWE-1266