Log inLog in

Base weakness

Draft

CWE-420: Unprotected Alternate Channel

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

Last updated May 1, 2026

36

Recorded CVEs

With this primary weakness

2

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-420 (Unprotected Alternate Channel) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

36 recorded CVEs are caused by CWE-420 (Unprotected Alternate Channel), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 7 new CWE-420 CVEs have been recorded so far in 2026 (13 in 2025).

CVE-2024-10081

Critical · CVSS 10.0 · EPSS 99th

2024-11-06

CVE-2025-52921

Critical · CVSS 9.9 · EPSS 66th

2025-06-23

CVE-2025-13315

Unauthenticated log access in Twonky Server

Critical · CVSS 9.3 · EPSS 99th

2025-11-19

CVE-2025-54351

High · CVSS 8.9 · EPSS 50th

2025-08-03

CVE-2026-40217

High · CVSS 8.8 · EPSS 27th

2026-04-10

CVE-2025-62001

BullWall Ransomware Containment hard-coded folder exclusions

High · CVSS 8.8 · EPSS 6th

2025-12-18

CVE-2025-8557

High · CVSS 8.8 · EPSS 15th

2025-09-11

CVE-2025-1095

IBM Personal Communications command execution

High · CVSS 8.8 · EPSS 13th

2025-04-08

CVE-2023-4570

High · CVSS 8.8 · EPSS 30th

2023-10-05

CVE-2023-31241

High · CVSS 8.6 · EPSS 2th

2023-05-22

Showing 12 of 36 recorded CWE-420 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-420 vulnerabilities

Common consequences

What can happen when CWE-420 is exploited.

Gain Privileges or Assume Identity, Bypass Protection Mechanism

Affects: Access Control

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

Operation

How to prevent it

Practical mitigations for CWE-420, grouped by where in the lifecycle they apply.

Architecture and Design

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not.

Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset).

Though this example is shown in Verilog, it will apply to VHDL as well.

The bugged line of code is repeated in the Bad example above. The weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME. The address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2020-8004 — When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).
CVE-2002-0567 — DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.
CVE-2002-1578 — Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.
CVE-2003-1035 — User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
CVE-2002-1863 — FTP service can not be disabled even when other access controls would require it.
CVE-2002-0066 — Windows named pipe created without authentication/access control, allowing configuration modification.
CVE-2004-1461 — Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.

Terminology & mappings

Mapped taxonomies

PLOVER: Unprotected Alternate Channel

Frequently asked questions

Common questions about CWE-420.

What is CWE-420?

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

What CVEs are caused by CWE-420?

36 recorded CVEs are attributed to CWE-420, including CVE-2025-54309, CVE-2023-20198, CVE-2024-10081. 2 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-420?

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

What are the consequences of CWE-420?

Exploiting CWE-420 can lead to: Gain Privileges or Assume Identity, Bypass Protection Mechanism.

Is CWE-420 actively exploited?

Yes. 2 CWE-420 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 36 recorded CVEs.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-420

Get alerted the moment a new CWE-420 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing