Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-272 (最小特权原则违背) — Vulnerability Class 20

20 vulnerabilities classified as CWE-272 (最小特权原则违背). AI Chinese analysis included.

CWE-272 represents a critical implementation weakness where a process retains elevated privileges beyond the specific operations that require them. This flaw typically arises when developers fail to drop high-level access, such as root permissions, immediately after executing privileged tasks like chroot() or file system modifications. Attackers exploit this by leveraging the lingering elevated rights to escalate privileges, access sensitive data, or execute arbitrary code, effectively bypassing security boundaries intended to limit damage. To mitigate this risk, developers must adhere to the principle of least privilege by designing systems that request the minimum necessary permissions for each task. Implementing immediate privilege drops post-operation, utilizing sandboxing, and conducting rigorous code reviews ensure that processes operate with restricted rights, thereby containing potential breaches and reducing the overall attack surface of the application.

MITRE CWE Description
The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
Common Consequences (1)
Access Control, ConfidentialityGain Privileges or Assume Identity, Read Application Data, Read Files or Directories
An attacker may be able to access resources with the elevated privilege that could not be accessed with the attacker's original privileges. This is particularly likely in conjunction with another flaw, such as a buffer overflow.
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Examples (2)
The following example demonstrates the weakness.
setuid(0); // Do some important stuff setuid(old_uid); // Do some non privileged stuff.
Bad · C
The following example demonstrates the weakness.
AccessController.doPrivileged(new PrivilegedAction() { public Object run() { // privileged code goes here, for example: System.loadLibrary("awt"); return null; // nothing to return }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-32655 Dell Alienware Command Center 安全漏洞 — Alienware Command Center (AWCC) 5.3 Medium2026-04-27
CVE-2025-9711 Privilege escalation in Brocade Fabric OS before 9.2.1c3, and 9.2.2 though 9.2.2b — Fabric OS 8.4AIHighAI2026-02-03
CVE-2025-59106 Web Server Running with Root Privileges in dormakaba access manager — Access Manager 92xx-k7 8.4AIHighAI2026-01-26
CVE-2026-23634 Pepr Overly Permissive RBAC ClusterRole in Admin Mode — pepr--2026-01-16
CVE-2025-68267 JetBrains TeamCity 安全漏洞 — TeamCity 6.5 Medium2025-12-16
CVE-2025-8758 TRENDnet TEW-822DRE vsftpd least privilege violation — TEW-822DRE 7.0 High2025-08-09
CVE-2025-8757 TRENDnet TV-IP110WN Embedded Boa Web Server boa.conf least privilege violation — TV-IP110WN 7.0 High2025-08-09
CVE-2025-8181 TOTOLINK N600R/X2000R FTP Service vsftpd.conf least privilege violation — N600R 7.2 High2025-07-26
CVE-2025-7722 Social Streams <= 1.2.1 - Authenticated (Subscriber+) Privilege Escalation — Social Streams 8.8 High2025-07-23
CVE-2025-1384 Least Privilege Violation Vulnerability in the communications functions of NJ/NX-series Machine Automation Controllers — Machine Automation Controller NJ-series 7.0 High2025-07-13
CVE-2025-49144 Notepad++ Privilege Escalation in Installer via Uncontrolled Executable Search Path — notepad-plus-plus 7.3 High2025-06-23
CVE-2025-47809 Wibu CodeMeter 安全漏洞 — CodeMeter 8.2 High2025-05-16
CVE-2024-28829 Privilege escalation in mk_informix plugin — Checkmk 7.8AIHighAI2024-08-20
CVE-2024-27165 Local Privilege Escalation — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.8 High2024-06-14
CVE-2024-28824 Privilege escalation in mk_informix plugin — Checkmk 8.8 High2024-03-22
CVE-2024-0638 Privilege escalation in mk_oracle plugins — Checkmk 8.2 High2024-03-22
CVE-2024-0798 Privilege Escalation in mintplex-labs/anything-llm — mintplex-labs/anything-llm 4.9 -2024-02-25
CVE-2023-32451 Dell Display Manager 安全漏洞 — Dell Display Manager 7.3 High2024-02-06
CVE-2023-28047 Dell Display Manager 安全漏洞 — Dell Display Manager 7.3 High2023-04-20
CVE-2023-28046 Dell Display Manager 安全漏洞 — Dell Display Manager 6.6 Medium2023-04-06

Vulnerabilities classified as CWE-272 (最小特权原则违背) represent 20 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.