Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-64507 Incus vulnerable to local privilege escalation through custom storage volumes — incus 8.8 -2025-11-10
CVE-2025-12405 Unauthorized access through stored credentials in Looker Studio — Looker Studio 8.8 -2025-11-10
CVE-2025-64489 SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass — SuiteCRM 8.3 High2025-11-08
CVE-2025-64436 KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes — kubevirt 9.6 -2025-11-07
CVE-2025-12485 Devolutions Server 安全漏洞 — Server 8.1 -2025-11-06
CVE-2025-46364 Dell CloudLink 安全漏洞 — CloudLin 9.1 Critical2025-11-05
CVE-2025-12683 NULL DACL assigned to Named Pipe communicating with SYSTEM Service — Everything 7.8AIHighAI2025-11-04
CVE-2024-13997 Nagios XI < 2024R1.1.3 Privilege Escalation via Migrate Server Feature to Root on Host — XI 7.2AIHighAI2025-11-03
CVE-2025-8900 Doccure Core < 1.5.4 - Unauthenticated Privilege Escalation — Doccure Core 9.8 Critical2025-11-03
CVE-2025-8489 King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor 24.12.92 - 51.1.14 - Unauthenticated Privilege Escalation — King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor 9.8 Critical2025-10-31
CVE-2024-14009 Nagios XI < 2024R1.0.1 Privilege Escalation via System Profile — XI 7.2AIHighAI2025-10-30
CVE-2024-14004 Nagios XI < 2024R1.2 Privilege Escalation via NagVis Configuration (nagvis.conf) — XI 7.8AIHighAI2025-10-30
CVE-2025-12425 Local Privilege Escalation — BLU-IC2 7.8AIHighAI2025-10-28
CVE-2025-12424 Privilege Escalation through SUID-bit Binary — BLU-IC2 7.8AIHighAI2025-10-28
CVE-2025-1037 Hitachi TropOS 4th Gen 安全漏洞 — TropOS 4th Gen 8.8AIHighAI2025-10-28
CVE-2025-11086 Academy LMS Pro <= 3.3.7 - Unauthenticated Privilege Escalation via Social Login Addon — Academy LMS Pro 8.1 High2025-10-22
CVE-2025-5496 Arbitrary File Deletion — Endpoint Central 3.3 Low2025-10-21
CVE-2025-6042 Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme <= 1.4.0 - Unauthenticated Privilege Escalation to Editor — Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme 7.3 High2025-10-15
CVE-2025-9067 Rockwell Automation FactoryTalk® Linx Privilege Escalation Vulnerabilities — FactoryTalk Linx 7.8AIHighAI2025-10-14
CVE-2025-9068 Rockwell Automation FactoryTalk® Linx Privilege Escalation Vulnerabilities — FactoryTalk Linx 7.8AIHighAI2025-10-14
CVE-2025-11533 WP Freeio <= 1.2.21 - Unauthenticated Privilege Escalation — WP Freeio 9.8 Critical2025-10-11
CVE-2025-59247 Azure PlayFab Elevation of Privilege Vulnerability — Azure PlayFab 8.8 High2025-10-09
CVE-2025-11561 Sssd: sssd default kerberos configuration allows privilege escalation on ad-joined linux systems 8.8 High2025-10-09
CVE-2025-61786 Deno's --deny-read check does not prevent permission bypass — deno 3.3 Low2025-10-08
CVE-2025-34251 Tesla Telematics Control Unit (TCU) < v2025.14 Authentication Bypass — Telematics Control Unit (TCU) 6.8AIMediumAI2025-10-06
CVE-2025-10578 HP Support Assistant - Potential Escalation of Privilege — HP Support Assistant 7.8AIHighAI2025-10-01
CVE-2025-7779 Acronis True Image 安全漏洞 — Acronis True Image 7.8AIHighAI2025-09-30
CVE-2025-10657 Docker Desktop with ECI Fails to Enforce Socket Command Restrictions — Docker Desktop 7.2 -2025-09-26
CVE-2025-5494 Privilege Escalation — Endpoint Central 3.9 Low2025-09-25
CVE-2025-9966 Execution with Unnecessary Privileges — P series (P07, P10, P12, P15) 9.8AICriticalAI2025-09-23

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.