Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-520 (.NET误配置:使用伪装) — Vulnerability Class 2

2 vulnerabilities classified as CWE-520 (.NET误配置:使用伪装). AI Chinese analysis included.

CWE-520 represents a critical configuration weakness in .NET applications where developers improperly enable impersonation, allowing the application to execute with the identity of the authenticated client rather than a restricted service account. This misconfiguration is typically exploited by attackers who, after gaining initial access or valid credentials, leverage the impersonation feature to bypass application-level access controls. By assuming the client’s identity, malicious actors can escalate privileges to access sensitive file systems, databases, or operating system resources that would otherwise remain protected. To mitigate this risk, developers must strictly disable impersonation in configuration files unless absolutely necessary for specific business logic. When required, they should implement granular least-privilege principles, ensuring the impersonated identity holds only the minimal permissions needed, thereby preventing unauthorized escalation and limiting the blast radius of potential security breaches.

MITRE CWE Description
Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. .NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to bypass authentication and access control checks within the .NET application code. Authentication is done by the underlying web server (Microsoft Internet Information Service IIS), which passes the authenticated token, or unauthenticated anonymous token, to the .NET application. Using the token to impersonate the client, the application then relies on the settings within the NTFS directories and files to control access. Impersonation enables the application, on the server running the .NET application, to both execute code and access resources in the context of the authenticated and authorized user.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (1)
OperationRun the application with limited privilege to the underlying operating and file system.
CVE IDTitleCVSSSeverityPublished
CVE-2026-2450 upKeeper Instant Privilege Access 安全漏洞 — upKeeper Instant Privilege Access 9.8 -2026-04-14
CVE-2019-25608 Iperius Backup 6.1.0 Privilege Escalation via Backup Job — Iperius Backup 8.4 High2026-03-22

Vulnerabilities classified as CWE-520 (.NET误配置:使用伪装) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.