CWE-912: Hidden Functionality
The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.
Last updated
Overview
Hidden functionality can take many forms, such as intentionally malicious code, "Easter Eggs" that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the product's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.
Real-world CVEs
76 recorded CVEs are caused by CWE-912 (Hidden Functionality), including 3 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 12 new CWE-912 CVEs have been recorded so far in 2026 (22 in 2025).
- CVE-2024-20439CISA KEVCritical · CVSS 9.3 · EPSS 100th2024-09-04
- CVE-2021-25371CISA KEVHigh · CVSS 8.4 · EPSS 52th2021-03-26
- CVE-2025-47729CISA KEVMedium · CVSS 6.9 · EPSS 33th2025-05-08
- CVE-2026-3587
Hidden CLI Function Allows Root Access
Critical · CVSS 10.0 · EPSS 48th2026-03-23 - CVE-2024-39754Critical · CVSS 10.0 · EPSS 66th2025-01-14
- CVE-2026-7413
Persistent undocumented backdoor access in Yarbo robot
Critical · CVSS 9.8 · EPSS 44th2026-05-07 - CVE-2026-1952
Denial of service via the undocumented subfunction in AS320T
Critical · CVSS 9.8 · EPSS 19th2026-04-24 - CVE-2025-32370Critical · CVSS 9.8 · EPSS 70th2025-04-06
- CVE-2024-45697
D-Link WiFi router - Hidden Functionality
Critical · CVSS 9.8 · EPSS 60th2024-09-16 - CVE-2024-28011Critical · CVSS 9.8 · EPSS 46th2024-03-28
- CVE-2023-24108Critical · CVSS 9.8 · EPSS 68th2023-02-22
- CVE-2022-47767Critical · CVSS 9.8 · EPSS 66th2023-01-25
Showing 12 of 76 recorded CWE-912 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-912 vulnerabilitiesCommon consequences
What can happen when CWE-912 is exploited.
Varies by Context, Alter Execution Logic
Affects: Other, Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-912, grouped by where in the lifecycle they apply.
Always verify the integrity of the product that is being installed.
How to detect it
Automated Static Analysis
Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.
Vulnerable example
boolean authorizeCard(String ccn) {Consider a device that comes with various security measures, such as secure boot. The secure-boot process performs firmware-integrity verification at boot time, and this code is stored in a separate SPI-flash device. However, this code contains undocumented "special access features" intended to be used only for performing failure analysis and intended to only be unlocked by the device designer.
Vulnerable example
Attackers dump the code from the device and then perform reverse engineering to analyze the code. The undocumented, special-access features are identified, and attackers can activate them by sending specific commands via UART before secure-boot phase completes. Using these hidden features, attackers can perform reads and writes to memory via the UART interface. At runtime, the attackers can also execute arbitrary code and dump the entire memory contents.Remove all chicken bits and hidden features that are exposed to attackers. Add authorization schemes that rely on cryptographic primitives to access any features that the manufacturer does not want to expose. Clearly document all interfaces.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-31260 — Chain: a digital asset management program has an undisclosed backdoor in the legacy version of a PHP script (CWE-912) that could allow an unauthenticated user to export metadata (CWE-306)
- CVE-2022-3203 — A wireless access point manual specifies that the only method of configuration is via web interface (CWE-1059), but there is an undisclosed telnet server that was activated by default (CWE-912).
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-912.
- What is CWE-912?
- The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.
- What CVEs are caused by CWE-912?
- 76 recorded CVEs are attributed to CWE-912, including CVE-2024-20439, CVE-2021-25371, CVE-2025-47729. 3 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-912?
- Always verify the integrity of the product that is being installed.
- How is CWE-912 detected?
- Automated Static Analysis: Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.
- What are the consequences of CWE-912?
- Exploiting CWE-912 can lead to: Varies by Context, Alter Execution Logic.
- Is CWE-912 actively exploited?
- Yes. 3 CWE-912 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 76 recorded CVEs.
References
- MITRE CWE definition (CWE-912) (opens in a new tab)
- CWE-912 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-912
Get alerted the moment a new CWE-912 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.