Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-7784 Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled) 6.5 Medium2025-07-18
CVE-2025-7341 HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Deletion — HT Contact Form – Drag & Drop Form Builder for WordPress 9.1 Critical2025-07-15
CVE-2025-50124 Schneider Electric EcoStruxure IT Data Center Expert 安全漏洞 — EcoStruxure™ IT Data Center Expert 8.8AIHighAI2025-07-11
CVE-2025-5028 Arbitrary file deletion vulnerability in ESET product installers — ESET NOD32 Antivirus 7.1AIHighAI2025-07-11
CVE-2025-6759 Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges — Windows Virtual Delivery Agent for CVAD and Citrix DaaS 7.8AIHighAI2025-07-08
CVE-2025-43019 HP Support Assistant – Potential Escalation of Privilege — HP Support Assistant 7.8AIHighAI2025-07-08
CVE-2025-24006 Privilege Escalation via Insecure SSH Permissions — CHARX SEC-3150 7.8 High2025-07-08
CVE-2025-6943 Delinea Secret Server 安全漏洞 — Secret Server 3.8 Low2025-07-02
CVE-2025-36630 Local Privilege Escalation — Nessus 8.4 High2025-07-01
CVE-2025-6934 Opal Estate Pro <= 1.7.5 - Unauthenticated Privilege Escalation via 'on_regiser_user' — Opal Estate Pro – Property Management and Submission 9.8 Critical2025-07-01
CVE-2025-52555 CephFS Permission Escalation Vulnerability in Ceph Fuse mounted FS — ceph 6.5 Medium2025-06-26
CVE-2025-37101 HPE OneView for VMware vCenter (OV4VC), Local Elevation of Privilege — HPE OneView for VMware vCenter 8.7 High2025-06-26
CVE-2025-4334 Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation — Simple User Registration 9.8 Critical2025-06-26
CVE-2025-20282 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability — Cisco Identity Services Engine Software 10.0 Critical2025-06-25
CVE-2025-39202 Hitachi MicroSCADA X SYS600 安全漏洞 — MicroSCADA X SYS600 7.3 High2025-06-24
CVE-2025-49157 Trend Micro Apex One Damage Cleanup Engine 安全漏洞 — Trend Micro Apex One 7.8 High2025-06-17
CVE-2025-49156 Trend Micro Apex One 安全漏洞 — Trend Micro Apex One 7.0 High2025-06-17
CVE-2025-0320 Citrix Secure Access - Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges — Secure Access Client for Windows 7.8AIHighAI2025-06-17
CVE-2025-4879 Citrix Workspace App for Windows - Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges — Workspace App for Windows 7.8AIHighAI2025-06-17
CVE-2025-36631 Local Privilege Escalation — Agent 8.4 High2025-06-13
CVE-2025-36633 Local Privilege Escalation — Agent 8.8 High2025-06-13
CVE-2025-5491 Acer ControlCenter - Remote Code Execution — ControlCenter 8.8 High2025-06-13
CVE-2025-4315 CubeWP – All-in-One Dynamic Content Framework <= 1.1.23 - Authenticated (Subscriber+) Privilege Escalation — CubeWP Framework 8.8 High2025-06-11
CVE-2025-22829 Apache CloudStack: Unauthorised access to dedicated resources in Quota plugin — Apache CloudStack 4.3AIMediumAI2025-06-10
CVE-2025-47849 Apache CloudStack: Insecure access of user's API/Secret Keys in the same domain — Apache CloudStack 7.2AIHighAI2025-06-10
CVE-2025-47713 Apache CloudStack: Domain Admin can reset Admin password in Root Domain — Apache CloudStack 7.2AIHighAI2025-06-10
CVE-2025-47955 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2025-06-10
CVE-2025-33067 Windows Task Scheduler Elevation of Privilege Vulnerability — Windows 10 Version 1507 8.4 High2025-06-10
CVE-2025-22254 Fortinet多款产品 安全漏洞 — FortiOS 6.5 Medium2025-06-10
CVE-2024-41797 Siemens多款产品 安全漏洞 — RUGGEDCOM RST2428P 4.3 Medium2025-06-10

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.