CWE-1282: Assumed-Immutable Data is Stored in Writable Memory
Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.
Last updated
Overview
Security services such as secure boot, authentication of code and data, and device attestation all require assets such as the first stage bootloader, public keys, golden hash digests, etc. which are implicitly trusted. Storing these assets in read-only memory (ROM), fuses, or one-time programmable (OTP) memory provides strong integrity guarantees and provides a root of trust for securing the rest of the system. Security is lost if assets assumed to be immutable can be modified.
Real-world CVEs
8 recorded CVEs are caused by CWE-1282 (Assumed-Immutable Data is Stored in Writable Memory). The highest-severity and most recent are shown first. 7 new CWE-1282 CVEs have been recorded so far in 2026.
- CVE-2019-25358
FileOptimizer 14.00.2524 - Denial of Service
High · CVSS 8.7 · EPSS 31th2026-02-18 - CVE-2022-2483High · CVSS 8.4 · EPSS 13th2023-01-06
- CVE-2019-25590
Axessh 4.2 Denial of Service via Log File Name
Medium · CVSS 6.9 · EPSS 6th2026-03-22 - CVE-2019-25588
BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address
Medium · CVSS 6.9 · EPSS 7th2026-03-22 - CVE-2019-25587
BulletProof FTP Server 2019.0.0.50 Storage-Path Denial of Service
Medium · CVSS 6.9 · EPSS 7th2026-03-22 - CVE-2019-25583
RarmaRadio 2.72.3 Username Field Denial of Service
Medium · CVSS 6.9 · EPSS 7th2026-03-22 - CVE-2019-25551
Sandboxie 5.30 Denial of Service via Program Alerts Buffer Overflow
Medium · CVSS 6.9 · EPSS 6th2026-03-21 - CVE-2018-25229
BulletProof FTP Server 2019.0.0.50 Denial of Service via SMTP
Medium · CVSS 6.8 · EPSS 12th2026-03-30
Common consequences
What can happen when CWE-1282 is exploited.
Varies by Context
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1282, grouped by where in the lifecycle they apply.
All immutable code or data should be programmed into ROM or write-once memory.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Cryptographic hash functions are commonly used to create unique fixed-length digests used to ensure the integrity of code and keys. A golden digest is stored on the device and compared to the digest computed from the data to be verified. If the digests match, the data has not been maliciously modified. If an attacker can modify the golden digest they then have the ability to store arbitrary data that passes the verification check. Hash digests used to verify public keys and early stage boot code should be immutable, with the strongest protection offered by hardware immutability.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1282.
- What is CWE-1282?
- Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.
- What CVEs are caused by CWE-1282?
- 8 recorded CVEs are attributed to CWE-1282, including CVE-2019-25358, CVE-2022-2483, CVE-2019-25590.
- How do you prevent CWE-1282?
- All immutable code or data should be programmed into ROM or write-once memory.
- What are the consequences of CWE-1282?
- Exploiting CWE-1282 can lead to: Varies by Context.
- Is CWE-1282 actively exploited?
- 8 recorded CVEs are caused by CWE-1282; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1282) (opens in a new tab)
- CWE-1282 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1282
Get alerted the moment a new CWE-1282 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.