CWE · MITRE source
CWE-1242Inclusion of Undocumented Features or Chicken Bits
The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.
A common design practice is to use undocumented bits on a device that can be used to disable certain functional security features. These bits are commonly referred to as "chicken bits". They can facilitate quick identification and isolation of faulty components, features that negatively affect performance, or features that do not provide the required controllability for debug and test. Another way to achieve this is through implementation of undocumented features.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 3 mapping(s) from 2 framework(s): CAPEC 2 (mostly) · ASVS 5.0 1 (partial)
NIST 800-53 r5 controls that address this weakness (7)AI
Showing the 6 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-12 | Supply Chain Protection | SA | Requires transparency and verification of delivered components, limiting undocumented features or debug hooks introduced upstream. |
SA-13 | Trustworthiness | SA | Discourages undocumented features or chicken bits by demanding transparency and verification that only intended, documented behavior is present. |
SA-20 | Customized Development of Critical Components | SA | Developing critical components internally avoids undocumented features and chicken bits present in vendor hardware or software. |
CM-8 | System Component Inventory | CM | Requiring an inventory that accurately reflects the system forces documentation of all components, making inclusion of undocumented features or chicken bits harder to achieve without detection. |
PM-30 | Supply Chain Risk Management Strategy | PM | Review and update processes include scrutiny of undocumented features or debug mechanisms provided by component manufacturers. |
SR-10 | Inspection of Systems or Components | SR | Inspection can uncover undocumented features or chicken bits that result from tampering or malicious insertion. |
Show 1 more broadly-applicable controls
SA-21 | Developer Screening | SA | Requiring screened developers with proper access limits the introduction of undocumented features or debug 'chicken bits' that could be exploited later. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-55050 | 7.0 | 9.8 | 0.0032 | 2025-09-09 |
CVE-2025-12176 | 7.0 | 9.8 | 0.0031 | 2025-10-24 |
CVE-2024-52564 | 5.5 | 7.5 | 0.0058 | 2024-12-05 |
CVE-2024-54457 | 5.5 | 7.2 | 0.0040 | 2024-12-18 |
CVE-2025-22450 | 5.5 | 7.5 | 0.0037 | 2025-01-22 |
CVE-2026-24714 | 5.5 | 7.5 | 0.0023 | 2026-01-30 |
CVE-2025-41756 | 5.5 | 8.1 | 0.0033 | 2026-03-09 |
CVE-2023-3634 | 5.5 | 8.8 | 0.0050 | 2026-04-16 |
CVE-2024-2103 UPD | 3.5 | 6.5 | 0.0046 | 2024-04-04 |
CVE-2024-7011 | 3.5 | 6.5 | 0.0031 | 2024-09-27 |
CVE-2025-52548 UPD | 3.5 | 4.9 | 0.0033 | 2025-09-02 |
CVE-2025-41754 | 3.5 | 6.5 | 0.0033 | 2026-03-09 |