CVEbaza.plCWE DictionaryCWE-1263
Common Weakness Enumeration

CWE-1263

Improper Physical Access Control

Category: ClassCVE: 13
Description

The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.

Extended Description

Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how robust the design of the physical protection mechanism needs to be depends on the type of product being protected. Selecting the correct physical protection mechanism and properly enforcing it through implementation and manufacturing are critical to the overall physical security of the product.

CVE vulnerabilities with CWE-1263 (13)
9.3
CVSS
CRITICAL
CVE-2024-48973

The debug port on the ventilator's serial interface is enabled by default. This could allow an attacker to send and receive messages over the debug port (which are unencrypted; see 3.2.1) that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.

pub. 2024-11-14
7.8
CVSS
HIGH
CVE-2023-38290

Certain software builds for the BLU View 2 and Sharp Rouvo V Android devices contain a vulnerable pre-installed app with a package name of com.evenwell.fqc (versionCode='9020801', versionName='9.0208.01' ; versionCode='9020913', versionName='9.0209.13' ; versionCode='9021203', versionName='9.0212.03') that allows local third-party apps to execute arbitrary shell commands in its context (system user) due to inadequate access control. No permissions or special privileges are necessary to exploit the vulnerability in the com.evenwell.fqc app. No user interaction is required beyond installing and running a third-party app. The vulnerability allows local apps to access sensitive functionality that is generally restricted to pre-installed apps, such as programmatically performing the following actions: granting arbitrary permissions (which can be used to obtain sensitive user data), installing arbitrary apps, video recording the screen, wiping the device (removing the user's apps and data), injecting arbitrary input events, calling emergency phone numbers, disabling apps, accessing notifications, and much more. The software build fingerprints for each confirmed vulnerable device are as follows: BLU View 2 (BLU/B131DL/B130DL:11/RP1A.200720.011/1672046950:user/release-keys, BLU/B131DL/B130DL:11/RP1A.200720.011/1663816427:user/release-keys, BLU/B131DL/B130DL:11/RP1A.200720.011/1656476696:user/release-keys, BLU/B131DL/B130DL:11/RP1A.200720.011/1647856638:user/release-keys) and Sharp Rouvo V (SHARP/VZW_STTM21VAPP/STTM21VAPP:12/SP1A.210812.016/1KN0_0_460:user/release-keys and SHARP/VZW_STTM21VAPP/STTM21VAPP:12/SP1A.210812.016/1KN0_0_530:user/release-keys). This malicious app starts an exported activity named com.evenwell.fqc/.activity.ClickTest, crashes the com.evenwell.fqc app by sending an empty Intent (i.e., having not extras) to the com.evenwell.fqc/.FQCBroadcastReceiver receiver component, and then it sends command arbitrary shell commands to the com.evenwell.fqc/.FQCService service component which executes them with "system" privileges.

pub. 2024-04-22
7.3
CVSS
HIGH
CVE-2024-36438

eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks.

pub. 2024-07-15
7.0
CVSS
HIGH
CVE-2024-39512

An Improper Physical Access Control vulnerability in the console port control of Juniper Networks Junos OS Evolved allows an attacker with physical access to the device to get access to a user account. When the console cable is disconnected, the logged in user is not logged out. This allows a malicious attacker with physical access to the console to resume a previous session and possibly gain administrative privileges. This issue affects Junos OS Evolved: * from 23.2R2-EVO before 23.2R2-S1-EVO,  * from 23.4R1-EVO before 23.4R2-EVO.

pub. 2024-07-10
6.8
CVSS
MEDIUM
CVE-2025-4386

Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal.​

pub. 2026-05-07
6.8
CVSS
MEDIUM
CVE-2024-28326

Incorrect Access Control in ASUS RT-N12+ B1 and RT-N12 D1 routers allows local attackers to obtain root terminal access via the the UART interface.

pub. 2024-04-26
6.4
CVSS
MEDIUM
CVE-2022-32506

An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to the circuit board could use the SWD debug features to control the execution of code on the processor and debug the firmware, as well as read or alter the content of the internal and external flash memory. This affects Nuki Smart Lock 3.0 before 3.3.5, Nuki Smart Lock 2.0 before 2.12.4, as well as Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2.

pub. 2024-05-14
6.1
CVSS
MEDIUM
CVE-2022-3728

A vulnerability was reported in ThinkPad T14s Gen 3 and X13 Gen3 that could cause the BIOS tamper detection mechanism to not trigger under specific circumstances which could allow unauthorized access.

pub. 2023-10-09
6.1
CVSS
MEDIUM
CVE-2022-48182

A vulnerability was reported in ThinkPad T14s Gen 3 and X13 Gen3 that could cause the BIOS tamper detection mechanism to not trigger under specific circumstances which could allow unauthorized access.

pub. 2023-10-09
6.1
CVSS
MEDIUM
CVE-2022-48183

A vulnerability was reported in ThinkPad T14s Gen 3 and X13 Gen3 that could cause the BIOS tamper detection mechanism to not trigger under specific circumstances which could allow unauthorized access.

pub. 2023-10-09
5.2
CVSS
MEDIUM
CVE-2025-8762

A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper physical access control. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used.

pub. 2025-08-13
4.7
CVSS
MEDIUM
CVE-2025-6785

Securing externally available CAN wires can easily allow physical access to the CAN bus, allowing possible injection of specially formed CAN messages to control remote start functions of the vehicle.  Testing completed on Tesla Model 3 vehicles with software version v11.1 (2023.20.9 ee6de92ddac5). This issue affects Model 3: With software versions from 2023.Xx before 2023.44.

pub. 2025-09-04
3.2
CVSS
LOW
CVE-2025-59696

Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to modify or erase tamper events via the Chassis management board.

pub. 2025-12-02
Information
ID: CWE-1263
Type: Class
Vulnerabilities: 13
MITRE CWE ↗
← CWE Dictionary