Base weakness
Log in
The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.
Last updated
An asset inside a chip might have access-control protections through one interface. However, if all paths to the asset are not protected, an attacker might compromise the asset through alternate paths. These alternate paths could be through shadow or mirror registers inside the IP core, or could be paths from other external-facing interfaces to the IP core or SoC. Consider an SoC with various interfaces such as UART, SMBUS, PCIe, USB, etc. If access control is implemented for SoC internal registers only over the PCIe interface, then an attacker could still modify the SoC internal registers through alternate paths by coming through interfaces such as UART, SMBUS, USB, etc. Alternatively, attackers might be able to bypass existing protections by exploiting unprotected, shadow registers. Shadow registers and mirror registers typically refer to registers that can be accessed from multiple addresses. Writing to or reading from the aliased/mirrored address has the same effect as writing to the address of the main register. They are typically implemented within an IP core or SoC to temporarily hold certain data. These data will later be updated to the main register, and both registers will be in synch. If the shadow registers are not access-protected, attackers could simply initiate transactions to the shadow registers and compromise system security.
9 recorded CVEs are caused by CWE-1299 (Missing Protection Mechanism for Alternate Hardware Interface). The highest-severity and most recent are shown first. 1 new CWE-1299 CVE has been recorded so far in 2026 (2 in 2025).
What can happen when CWE-1299 is exploited.
Modify Memory, Read Memory, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Alter Execution Logic, Bypass Protection Mechanism, Quality Degradation
Affects: Confidentiality, Integrity, Availability, Access Control
Typically introduced during these phases of the software lifecycle.
Technologies
Practical mitigations for CWE-1299, grouped by where in the lifecycle they apply.
Protect assets from accesses against all potential interfaces and alternate paths.
Effectiveness: Defense in Depth
Protect assets from accesses against all potential interfaces and alternate paths.
Effectiveness: Defense in Depth
Protect assets from accesses against all potential interfaces and alternate paths.
Effectiveness: Defense in Depth
Illustrative examples from MITRE showing how the weakness appears in code.
Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not.
Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset).
Though this example is shown in Verilog, it will apply to VHDL as well.
The bugged line of code is repeated in the Bad example above. The weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME. The address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.
Real CVEs that MITRE cites as examples of this weakness.
CAPEC attack patterns that exploit this weakness.
Common questions about CWE-1299.
The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.
9 recorded CVEs are attributed to CWE-1299, including CVE-2025-35998, CVE-2025-1073, CVE-2025-41697.
Protect assets from accesses against all potential interfaces and alternate paths.
Exploiting CWE-1299 can lead to: Modify Memory, Read Memory, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Alter Execution Logic.
9 recorded CVEs are caused by CWE-1299; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-1299 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.