CWE · MITRE source
CWE-1242Inclusion of Undocumented Features or Chicken Bits
The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.
A common design practice is to use undocumented bits on a device that can be used to disable certain functional security features. These bits are commonly referred to as "chicken bits". They can facilitate quick identification and isolation of faulty components, features that negatively affect performance, or features that do not provide the required controllability for debug and test. Another way to achieve this is through implementation of undocumented features.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (7)AI
Showing the 6 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-12 | Supply Chain Protection | SA | Requires transparency and verification of delivered components, limiting undocumented features or debug hooks introduced upstream. |
SA-13 | Trustworthiness | SA | Discourages undocumented features or chicken bits by demanding transparency and verification that only intended, documented behavior is present. |
SA-20 | Customized Development of Critical Components | SA | Developing critical components internally avoids undocumented features and chicken bits present in vendor hardware or software. |
CM-8 | System Component Inventory | CM | Requiring an inventory that accurately reflects the system forces documentation of all components, making inclusion of undocumented features or chicken bits harder to achieve without detection. |
PM-30 | Supply Chain Risk Management Strategy | PM | Review and update processes include scrutiny of undocumented features or debug mechanisms provided by component manufacturers. |
SR-10 | Inspection of Systems or Components | SR | Inspection can uncover undocumented features or chicken bits that result from tampering or malicious insertion. |
Show 1 more broadly-applicable controls
SA-21 | Developer Screening | SA | Requiring screened developers with proper access limits the introduction of undocumented features or debug 'chicken bits' that could be exploited later. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-55050 | 2.0 | 9.8 | 0.0006 | 2025-09-09 |
CVE-2025-12176 | 2.0 | 9.8 | 0.0006 | 2025-10-24 |
CVE-2023-3634 | 1.8 | 8.8 | 0.0010 | 2026-04-16 |
CVE-2025-41756 | 1.6 | 8.1 | 0.0004 | 2026-03-09 |
CVE-2024-52564 | 1.5 | 7.5 | 0.0024 | 2024-12-05 |
CVE-2025-22450 | 1.5 | 7.5 | 0.0024 | 2025-01-22 |
CVE-2026-24714 | 1.5 | 7.5 | 0.0010 | 2026-01-30 |
CVE-2024-54457 | 1.4 | 7.2 | 0.0009 | 2024-12-18 |
CVE-2024-2103 | 1.3 | 6.5 | 0.0008 | 2024-04-04 |
CVE-2024-7011 | 1.3 | 6.5 | 0.0009 | 2024-09-27 |
CVE-2025-41754 | 1.3 | 6.5 | 0.0002 | 2026-03-09 |
CVE-2025-52548 | 1.0 | 4.9 | 0.0004 | 2025-09-02 |
CVE-2017-20204 | 0.1 | 0.0 | 0.0087 | 2025-10-15 |
CVE-2021-4469 | 0.0 | 0.0 | 0.0032 | 2025-11-14 |