CWE · MITRE source
CWE-912Hidden Functionality
The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.
Hidden functionality can take many forms, such as intentionally malicious code, "Easter Eggs" that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the product's attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (17)AI
Showing the 14 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-10 | Developer Configuration Management | SA | Change control, approval gates, and flaw tracking force hidden functionality to be either documented or discovered and removed. |
SA-12 | Supply Chain Protection | SA | Vetting and integrity controls during acquisition reduce the likelihood of hidden backdoors or malicious functionality introduced by suppliers. |
SA-13 | Trustworthiness | SA | Addresses hidden functionality by mandating evidence that the system or component contains no undocumented or unauthorized capabilities that could be exploited. |
SR-10 | Inspection of Systems or Components | SR | Inspection can reveal hidden functionality that an attacker has introduced via tampering or unauthorized modification. |
SR-11 | Component Authenticity | SR | Policies that verify component provenance make introduction of hidden or undocumented functionality materially harder. |
SR-4 | Provenance | SR | Provenance tracking of components reveals hidden functionality introduced via supply chain or build processes. |
RA-10 | Threat Hunting | RA | Hunting identifies hidden functionality used for persistence or evasion after initial compromise. |
RA-6 | Technical Surveillance Countermeasures Survey | RA | TSCM surveys discover and eliminate hidden surveillance functionality that would otherwise remain undetected in the environment. |
CM-8 | System Component Inventory | CM | Documenting every system component at the required granularity and reviewing the inventory detects or prevents hidden functionality from remaining undetected. |
CP-10 | System Recovery and Reconstitution | CP | Recovery eliminates hidden functionality or backdoors introduced during compromise. |
PM-30 | Supply Chain Risk Management Strategy | PM | Policy requires supplier transparency and testing to detect hidden functionality or backdoors inserted in the supply chain. |
PS-2 | Position Risk Designation | PS | Screening high-risk technical positions lowers the probability that hidden functionality or backdoors will be added by authorized personnel. |
SC-25 | Thin Nodes | SC | Constrained functionality and storage surface leave little room for hidden or undocumented functionality. |
SI-14 | Non-persistence | SI | Hidden or unauthorized functionality introduced at runtime cannot survive instance termination, neutralizing the value of such concealed code. |
Show 3 more broadly-applicable controls
SA-20 | Customized Development of Critical Components | SA | Custom reimplementation prevents hidden functionality or backdoors that may exist in commercial or open-source components. |
SA-21 | Developer Screening | SA | Personnel screening makes it harder for an attacker to place a developer who will introduce hidden functionality or covert channels. |
SR-5 | Acquisition Strategies, Tools, and Methods | SR | Supply-chain controls such as supplier audits and functional verification requirements make insertion of hidden or undocumented functionality harder to achieve undetected. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-20439 KEV | 9.1 | 9.8 | 0.8631 | 2024-09-04 |
CVE-2010-20103 | 7.1 | 9.8 | 0.8508 | 2025-08-20 |
CVE-2011-10018 | 5.1 | 9.8 | 0.5300 | 2025-08-13 |
CVE-2021-25371 KEV | 3.3 | 6.1 | 0.0162 | 2021-03-26 |
CVE-2025-34117 | 3.0 | 0.0 | 0.5030 | 2025-07-16 |
CVE-2025-47729 KEV | 2.6 | 1.9 | 0.0415 | 2025-05-08 |
CVE-2020-16204 | 2.2 | 9.8 | 0.0324 | 2020-09-01 |
CVE-2021-24867 | 2.2 | 9.8 | 0.0476 | 2022-02-21 |
CVE-2024-6045 | 2.2 | 8.8 | 0.0762 | 2024-06-17 |
CVE-2023-40158 | 2.1 | 8.8 | 0.0497 | 2023-08-23 |
CVE-2024-45697 | 2.1 | 9.8 | 0.0221 | 2024-09-16 |
CVE-2020-12504 | 2.0 | 9.8 | 0.0055 | 2020-10-15 |
CVE-2021-43987 | 2.0 | 9.8 | 0.0023 | 2021-12-23 |
CVE-2022-3203 | 2.0 | 9.8 | 0.0037 | 2022-10-21 |
CVE-2022-46996 | 2.0 | 9.8 | 0.0071 | 2022-12-14 |
CVE-2022-46997 | 2.0 | 9.8 | 0.0071 | 2022-12-14 |
CVE-2022-47767 | 2.0 | 9.8 | 0.0048 | 2023-01-26 |
CVE-2023-24108 | 2.0 | 9.8 | 0.0056 | 2023-02-22 |
CVE-2024-28011 | 2.0 | 9.8 | 0.0043 | 2024-03-28 |
CVE-2024-5514 | 2.0 | 9.8 | 0.0023 | 2024-05-30 |
CVE-2024-39754 | 2.0 | 10.0 | 0.0025 | 2025-01-14 |
CVE-2026-3587 | 2.0 | 10.0 | 0.0013 | 2026-03-23 |
CVE-2026-33280 | 2.0 | 9.8 | 0.0010 | 2026-03-27 |
CVE-2026-1952 | 2.0 | 9.8 | 0.0005 | 2026-04-24 |
CVE-2026-41446 | 2.0 | 9.8 | 0.0008 | 2026-04-28 |