CWE-420: Unprotected Alternate Channel
The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
Last updated
Overview
CWE-420 (Unprotected Alternate Channel) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
36 recorded CVEs are caused by CWE-420 (Unprotected Alternate Channel), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 7 new CWE-420 CVEs have been recorded so far in 2026 (13 in 2025).
- CVE-2025-54309CISA KEVCritical · CVSS 10.0 · EPSS 100th2025-07-18
- CVE-2023-20198CISA KEVCritical · CVSS 9.3 · EPSS 100th2023-10-16
- CVE-2025-54351Critical · CVSS 10.0 · EPSS 32th2025-08-03
- CVE-2024-10081Critical · CVSS 10.0 · EPSS 98th2024-11-06
- CVE-2023-31241Critical · CVSS 10.0 · EPSS 51th2023-05-22
- CVE-2025-52921Critical · CVSS 9.9 · EPSS 38th2025-06-23
- CVE-2025-13315
Unauthenticated log access in Twonky Server
Critical · CVSS 9.3 · EPSS 98th2025-11-19 - CVE-2026-40217High · CVSS 8.8 · EPSS 93th2026-04-10
- CVE-2025-1095
IBM Personal Communications command execution
High · CVSS 8.8 · EPSS 4th2025-04-08 - CVE-2023-4570High · CVSS 8.8 · EPSS 20th2023-10-05
- CVE-2020-8558
Kubernetes node setting allows for neighboring hosts to bypass localhost boundary
High · CVSS 8.8 · EPSS 88th2020-07-27 - CVE-2025-62001
BullWall Ransomware Containment hard-coded folder exclusions
High · CVSS 8.7 · EPSS 25th2025-12-18
Showing 12 of 36 recorded CWE-420 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-420 vulnerabilitiesCommon consequences
What can happen when CWE-420 is exploited.
Gain Privileges or Assume Identity, Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-420, grouped by where in the lifecycle they apply.
Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not.
Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset).
Though this example is shown in Verilog, it will apply to VHDL as well.
The bugged line of code is repeated in the Bad example above. The weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME. The address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2020-8004 — When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).
- CVE-2002-0567 — DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.
- CVE-2002-1578 — Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.
- CVE-2003-1035 — User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
- CVE-2002-1863 — FTP service can not be disabled even when other access controls would require it.
- CVE-2002-0066 — Windows named pipe created without authentication/access control, allowing configuration modification.
- CVE-2004-1461 — Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.
Terminology & mappings
Mapped taxonomies
- PLOVER: Unprotected Alternate Channel
Frequently asked questions
Common questions about CWE-420.
- What is CWE-420?
- The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
- What CVEs are caused by CWE-420?
- 36 recorded CVEs are attributed to CWE-420, including CVE-2025-54309, CVE-2023-20198, CVE-2025-54351. 2 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-420?
- Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.
- What are the consequences of CWE-420?
- Exploiting CWE-420 can lead to: Gain Privileges or Assume Identity, Bypass Protection Mechanism.
- Is CWE-420 actively exploited?
- Yes. 2 CWE-420 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 36 recorded CVEs.
References
- MITRE CWE definition (CWE-420) (opens in a new tab)
- CWE-420 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-420
Get alerted the moment a new CWE-420 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.