CVEbaza.plSłownik CWECWE-1263
Common Weakness Enumeration

CWE-1263

Improper Physical Access Control

Kategoria: ClassCVE: 13
Opis

Produkt jest zaprojektowany z ograniczonym dostępem do określonych informacji, ale nie zapewnia wystarczającej ochrony przed nieuprawnionym aktorem mającym fizyczny dostęp do tych obszarów. Brak odpowiednich zabezpieczeń fizycznych może prowadzić do nieautoryzowanego dostępu do wrażliwych danych lub urządzeń.

Description (EN)

The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.

Podatności CVE z CWE-1263 (13)
9.3
CVSS
CRITICAL
CVE-2024-48973

Podatność dotyczy respiratora, w którym port diagnostyczny (debug) na interfejsie szeregowym jest domyślnie włączony i niezaszyfrowany. Umożliwia to atakującemu z dostępem fizycznym wysyłanie i odbieranie komunikatów, co może prowadzić do ujawnienia informacji lub niezamierzonych zmian ustawień urządzenia.

pub. 2024-11-14
7.8
CVSS
HIGH
CVE-2023-38290

Certain software builds for the BLU View 2 and Sharp Rouvo V Android devices contain a vulnerable pre-installed app with a package name of com.evenwell.fqc (versionCode='9020801', versionName='9.0208.01' ; versionCode='9020913', versionName='9.0209.13' ; versionCode='9021203', versionName='9.0212.03') that allows local third-party apps to execute arbitrary shell commands in its context (system user) due to inadequate access control. No permissions or special privileges are necessary to exploit the vulnerability in the com.evenwell.fqc app. No user interaction is required beyond installing and running a third-party app. The vulnerability allows local apps to access sensitive functionality that is generally restricted to pre-installed apps, such as programmatically performing the following actions: granting arbitrary permissions (which can be used to obtain sensitive user data), installing arbitrary apps, video recording the screen, wiping the device (removing the user's apps and data), injecting arbitrary input events, calling emergency phone numbers, disabling apps, accessing notifications, and much more. The software build fingerprints for each confirmed vulnerable device are as follows: BLU View 2 (BLU/B131DL/B130DL:11/RP1A.200720.011/1672046950:user/release-keys, BLU/B131DL/B130DL:11/RP1A.200720.011/1663816427:user/release-keys, BLU/B131DL/B130DL:11/RP1A.200720.011/1656476696:user/release-keys, BLU/B131DL/B130DL:11/RP1A.200720.011/1647856638:user/release-keys) and Sharp Rouvo V (SHARP/VZW_STTM21VAPP/STTM21VAPP:12/SP1A.210812.016/1KN0_0_460:user/release-keys and SHARP/VZW_STTM21VAPP/STTM21VAPP:12/SP1A.210812.016/1KN0_0_530:user/release-keys). This malicious app starts an exported activity named com.evenwell.fqc/.activity.ClickTest, crashes the com.evenwell.fqc app by sending an empty Intent (i.e., having not extras) to the com.evenwell.fqc/.FQCBroadcastReceiver receiver component, and then it sends command arbitrary shell commands to the com.evenwell.fqc/.FQCService service component which executes them with "system" privileges.

pub. 2024-04-22
7.3
CVSS
HIGH
CVE-2024-36438

eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks.

pub. 2024-07-15
7.0
CVSS
HIGH
CVE-2024-39512

An Improper Physical Access Control vulnerability in the console port control of Juniper Networks Junos OS Evolved allows an attacker with physical access to the device to get access to a user account. When the console cable is disconnected, the logged in user is not logged out. This allows a malicious attacker with physical access to the console to resume a previous session and possibly gain administrative privileges. This issue affects Junos OS Evolved: * from 23.2R2-EVO before 23.2R2-S1-EVO,  * from 23.4R1-EVO before 23.4R2-EVO.

pub. 2024-07-10
6.8
CVSS
MEDIUM
CVE-2025-4386

Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal.​

pub. 2026-05-07
6.8
CVSS
MEDIUM
CVE-2024-28326

Incorrect Access Control in ASUS RT-N12+ B1 and RT-N12 D1 routers allows local attackers to obtain root terminal access via the the UART interface.

pub. 2024-04-26
6.4
CVSS
MEDIUM
CVE-2022-32506

An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to the circuit board could use the SWD debug features to control the execution of code on the processor and debug the firmware, as well as read or alter the content of the internal and external flash memory. This affects Nuki Smart Lock 3.0 before 3.3.5, Nuki Smart Lock 2.0 before 2.12.4, as well as Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2.

pub. 2024-05-14
6.1
CVSS
MEDIUM
CVE-2022-3728

A vulnerability was reported in ThinkPad T14s Gen 3 and X13 Gen3 that could cause the BIOS tamper detection mechanism to not trigger under specific circumstances which could allow unauthorized access.

pub. 2023-10-09
6.1
CVSS
MEDIUM
CVE-2022-48182

A vulnerability was reported in ThinkPad T14s Gen 3 and X13 Gen3 that could cause the BIOS tamper detection mechanism to not trigger under specific circumstances which could allow unauthorized access.

pub. 2023-10-09
6.1
CVSS
MEDIUM
CVE-2022-48183

A vulnerability was reported in ThinkPad T14s Gen 3 and X13 Gen3 that could cause the BIOS tamper detection mechanism to not trigger under specific circumstances which could allow unauthorized access.

pub. 2023-10-09
5.2
CVSS
MEDIUM
CVE-2025-8762

A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper physical access control. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used.

pub. 2025-08-13
4.7
CVSS
MEDIUM
CVE-2025-6785

Securing externally available CAN wires can easily allow physical access to the CAN bus, allowing possible injection of specially formed CAN messages to control remote start functions of the vehicle.  Testing completed on Tesla Model 3 vehicles with software version v11.1 (2023.20.9 ee6de92ddac5). This issue affects Model 3: With software versions from 2023.Xx before 2023.44.

pub. 2025-09-04
3.2
CVSS
LOW
CVE-2025-59696

Entrust nShield Connect XC, nShield 5c i nShield HSMi w wersjach do 13.6.11 lub 13.7 pozwalają atakującemu znajdującemu się w pobliżu fizycznym na modyfikację lub usunięcie zdarzeń tamper poprzez tablicę zarządzającą Chassis.

pub. 2025-12-02
Informacje
ID: CWE-1263
Typ: Class
Podatności: 13
MITRE CWE ↗
← Słownik CWE
CWE-1263 — Niewłaściwa kontrola dostępu fizycznego | Słownik CWE | CVEbaza.pl