CWE-1280 Base Incomplete

Access Control Check Implemented After Asset is Accessed

This vulnerability occurs when a hardware-based security check runs after the protected resource has already been accessed, creating a dangerous timing window.

Definition

What is CWE-1280?

This vulnerability occurs when a hardware-based security check runs after the protected resource has already been accessed, creating a dangerous timing window.
In secure systems, hardware-based access control (like memory or I/O protection) must be verified before any access is granted. This flaw breaks that fundamental rule by allowing the asset to be accessed first, with the permission check happening as a separate, non-atomic step. This creates a critical race condition where an attacker can exploit the gap between access and authorization. For developers, this means the security check is effectively bypassed because the system acts first and asks for permission later. To fix this, the access control verification must be made atomic with the access operation itself, ensuring the check is an inseparable gatekeeper that always completes successfully before any data or hardware resource is exposed.
Real-world impact

Real-world CVEs caused by CWE-1280

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

  1. 1

    Assume that the module foo_bar implements a protected register. The register content is the asset. Only transactions made by user id (indicated by signal usr_id) 0x4 are allowed to modify the register contents. The signal grant_access is used to provide access.

  2. 2

    This code uses Verilog blocking assignments for data_out and grant_access. Therefore, these assignments happen sequentially (i.e., data_out is updated to new value first, and grant_access is updated the next cycle) and not in parallel. Therefore, the asset data_out is allowed to be modified even before the access control check is complete and grant_access signal is set. Since grant_access does not have a reset value, it will be meta-stable and will randomly go to either 0 or 1.

  3. 3

    Flipping the order of the assignment of data_out and grant_access should solve the problem. The correct snippet of code is shown below.

Vulnerable code example

Vulnerable Verilog

Assume that the module foo_bar implements a protected register. The register content is the asset. Only transactions made by user id (indicated by signal usr_id) 0x4 are allowed to modify the register contents. The signal grant_access is used to provide access.

Vulnerable Verilog 
module foo_bar(data_out, usr_id, data_in, clk, rst_n);
 output reg [7:0] data_out;
 input wire [2:0] usr_id;
 input wire [7:0] data_in; 
 input wire clk, rst_n;
 wire grant_access;
 always @ (posedge clk or negedge rst_n)
 begin

```
   if (!rst_n)
  	 data_out = 0; 
   else 
  	 data_out = (grant_access) ? data_in : data_out;
  	 assign grant_access = (usr_id == 3'h4) ? 1'b1 : 1'b0;
 end
 endmodule
Secure code example

Secure Verilog

Flipping the order of the assignment of data_out and grant_access should solve the problem. The correct snippet of code is shown below.

Secure Verilog 
always @ (posedge clk or negedge rst_n)
 begin

```
   if (!rst_n)
  	 data_out = 0;
   else
  	 assign grant_access = (usr_id == 3'h4) ? 1'b1 : 1'b0;
  	 data_out = (grant_access) ? data_in : data_out;
 end
 endmodule
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-1280

  • Implementation Implement the access control check first. Access should only be given to asset if agent is authorized.
Detection signals

How to detect CWE-1280

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-1280 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-1280?

This vulnerability occurs when a hardware-based security check runs after the protected resource has already been accessed, creating a dangerous timing window.

How serious is CWE-1280?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-1280?

MITRE lists the following affected platforms: Verilog, VHDL, Not OS-Specific, Not Architecture-Specific, Not Technology-Specific.

How can I prevent CWE-1280?

Implement the access control check first. Access should only be given to asset if agent is authorized.

How does Plexicus detect and fix CWE-1280?

Plexicus's SAST engine matches the data-flow signature for CWE-1280 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-1280?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/1280.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-1280

CWE-696 Parent

Incorrect Behavior Order

This weakness occurs when a system executes multiple dependent actions in the wrong sequence, leading to unexpected and potentially…

CWE-1190 Sibling

DMA Device Enabled Too Early in Boot Phase

This vulnerability occurs when a device with Direct Memory Access (DMA) capability is activated before the system's security settings are…

CWE-1193 Sibling

Power-On of Untrusted Execution Core Before Enabling Fabric Access Control

This vulnerability occurs when a system powers up hardware components containing untrusted firmware before establishing critical security…

CWE-1279 Sibling

Cryptographic Operations are run Before Supporting Units are Ready

This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to…

CWE-179 Sibling

Incorrect Behavior Order: Early Validation

This vulnerability occurs when an application validates user input before applying security filters or data normalization. Attackers can…

CWE-408 Sibling

Incorrect Behavior Order: Early Amplification

This vulnerability occurs when a system allows a user to trigger a resource-intensive operation before verifying their identity or…

CWE-551 Sibling

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

This vulnerability occurs when a web server checks access permissions before fully processing and normalizing a URL, potentially allowing…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.