CWE-507 - Trojan Horse

CWE ID:

CWE-507

Abstraction:Base
Structure:Simple
Status:Incomplete

Release Date:2006-07-19
Latest Modification Date:2024-07-16

Weakness Name

Trojan Horse

Description

The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.

Common Consequences

Scope: Confidentiality, Integrity, Availability

Impact: Execute Unauthorized Code or Commands

Related Weaknesses

CWE-506Embedded Malicious Code

Latest Security News

Max severity RCE flaw discovered in widely used Apache Parquet
Hunters International shifts from ransomware to pure data extortion
Microsoft starts testing Windows 11 taskbar icon scaling
CISA warns of Fast Flux DNS evasion used by cybercrime gangs
Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
Ivanti patches Connect Secure zero-day exploited since mid-March
Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
Texas State Bar warns of data breach after INC ransomware claims attack
Oracle privately confirms Cloud breach to customers
Recent GitHub supply chain attack traced to leaked SpotBugs token

Latest CVE List

CVE-2025-24813 Apache Tomcat Path Equivalence Vulnerability
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

Top Alert List

CSP
Content Security Policy (CSP) Header Not Set
MediumAbsence of Anti-CSRF Tokens
MediumMissing Anti-clickjacking Header
InformationalInformation Disclosure - Suspicious Comments
LowCross-Domain JavaScript Source File Inclusion
MediumContent Security Policy (CSP) Header Not Set
LowTimestamp Disclosure - Unix
LowCSP: X-Content-Security-Policy
InformationalRe-examine Cache-control Directives

Common CWEs

HighCWE-640 Weak Password Recovery Mechanism for Forgotten Password
HighCWE-770 Allocation of Resources Without Limits or Throttling
CWE-344 Use of Invariant Value in Dynamically Changing Context
CWE-266 Incorrect Privilege Assignment
MediumCWE-484 Omitted Break Statement in Switch
CWE-1106 Insufficient Use of Symbolic Constants
CWE-45 Path Equivalence: 'file...name' (Multiple Internal Dot)
LowCWE-479 Signal Handler Use of a Non-reentrant Function
MediumCWE-1022 Use of Web Link to Untrusted Target with window.opener Access
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')