Class weakness

Draft

CWE-656: Reliance on Security Through Obscurity

Also known as: Never Assuming your secrets are safe

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.

Last updated May 1, 2026

10

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.

Real-world CVEs

10 recorded CVEs are caused by CWE-656 (Reliance on Security Through Obscurity). The highest-severity and most recent are shown first. 3 new CWE-656 CVEs have been recorded so far in 2026 (3 in 2025).

Critical · CVSS 9.3 · EPSS 15th

2026-04-26

CVE-2024-12297

Frontend Authorization Logic Disclosure Vulnerability

Critical · CVSS 9.2 · EPSS 54th

2025-01-15

CVE-2020-10284

RVD#3321: No Authentication required to exert manual control of the robot

Critical · CVSS 9.1 · EPSS 65th

2020-07-15

CVE-2024-9138

High · CVSS 8.6 · EPSS 48th

2025-01-03

CVE-2025-59093

Insecure Password Derivation Function for Database Administrator in dormakaba Kaba exos 9300

High · CVSS 8.5 · EPSS 7th

2026-01-26

CVE-2020-10277

Medium · CVSS 6.4 · EPSS 19th

2020-06-24

CVE-2025-7020

BYD DiLink OS Incorrect encryption Implementation of system log dumps

Medium · CVSS 5.1 · EPSS 23th

2025-08-09

CVE-2024-5244

Medium · CVSS 5.0 · EPSS 24th

2024-05-23

Common consequences

What can happen when CWE-656 is exploited.

Other

Affects: Confidentiality, Integrity, Availability, Other

The security mechanism can be bypassed easily.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

How to prevent it

Practical mitigations for CWE-656, grouped by where in the lifecycle they apply.

Architecture and Design

Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others.

Architecture and Design

When available, use publicly-vetted algorithms and procedures, as these are more likely to undergo more extensive security analysis and testing. This is especially the case with encryption and authentication.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The design of TCP relies on the secrecy of Initial Sequence Numbers (ISNs), as originally covered in CVE-1999-0077 [REF-542]. If ISNs can be guessed (due to predictability, CWE-330) or sniffed (due to lack of encryption during transmission, CWE-312), then an attacker can hijack or spoof connections. Many TCP implementations have had variations of this problem over the years, including CVE-2004-0641, CVE-2002-1463, CVE-2001-0751, CVE-2001-0328, CVE-2001-0288, CVE-2001-0163, CVE-2001-0162, CVE-2000-0916, and CVE-2000-0328.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2006-6588 — Reliance on hidden form fields in a web application. Many web application vulnerabilities exist because the developer did not consider that "hidden" form fields can be processed using a modified client.
CVE-2006-7142 — Hard-coded cryptographic key stored in executable program.
CVE-2005-4002 — Hard-coded cryptographic key stored in executable program.
CVE-2006-4068 — Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.

Terminology & mappings

Alternate terms

Never Assuming your secrets are safe

Frequently asked questions

Common questions about CWE-656.

What is CWE-656?

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.

What CVEs are caused by CWE-656?

10 recorded CVEs are attributed to CWE-656, including CVE-2020-10286, CVE-2026-7161, CVE-2026-42363.

How do you prevent CWE-656?

Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others.

What are the consequences of CWE-656?

Exploiting CWE-656 can lead to: Other.

Is CWE-656 actively exploited?

10 recorded CVEs are caused by CWE-656; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-656

Get alerted the moment a new CWE-656 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Can precede

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-656?

What CVEs are caused by CWE-656?

How do you prevent CWE-656?

What are the consequences of CWE-656?

Is CWE-656 actively exploited?

References

Stay ahead of CWE-656