Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-732 (关键资源的不正确权限授予) — Vulnerability Class 447

447 vulnerabilities classified as CWE-732 (关键资源的不正确权限授予). AI Chinese analysis included.

CWE-732 represents a critical access control weakness where software assigns overly permissive security attributes to vital resources, such as files, directories, or registry keys. This misconfiguration allows unintended actors to read or modify data that should remain restricted, often leading to sensitive information disclosure or unauthorized system changes. Attackers typically exploit this by identifying these loose permissions to access confidential data or alter critical configurations, potentially escalating privileges or compromising system integrity. To prevent this, developers must adhere to the principle of least privilege, ensuring resources are accessible only to necessary processes and users. Rigorous code reviews, automated static analysis tools, and strict adherence to secure coding standards help identify and correct improper permission assignments before deployment, thereby safeguarding critical assets against unauthorized access and manipulation.

MITRE CWE Description
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
An attacker may be able to read sensitive information from the associated resource, such as credentials or configuration information stored in a file.
Access ControlGain Privileges or Assume Identity
An attacker may be able to modify critical properties of the associated resource to gain privileges, such as replacing a world-writable executable with a Trojan horse.
Integrity, OtherModify Application Data, Other
An attacker may be able to destroy or corrupt critical data in the associated resource, such as deletion of records from a database.
Mitigations (5)
ImplementationWhen using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party.
Architecture and DesignDivide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207]
Effectiveness: Moderate
Architecture and Design, OperationRun the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For ex…
Effectiveness: Limited
Implementation, InstallationDuring program startup, explicitly set the default permissions or umask to the most restrictive setting possible. Also set the appropriate permissions during program installation. This will prevent you from inheriting insecure permissions from any user who installs or runs the program.
Effectiveness: High
System ConfigurationFor all configuration files, executables, and libraries, make sure that they are only readable and writable by the software's administrator.
Effectiveness: High
Examples (2)
The following code sets the umask of the process to 0 before creating a file and writing "Hello world" into the file.
#define OUTFILE "hello.out" umask(0); FILE *out; /* Ignore link following (CWE-59) for brevity */ out = fopen(OUTFILE, "w"); if (out) { fprintf(out, "hello world!\n"); fclose(out); }
Bad · C
-rw-rw-rw- 1 username 13 Nov 24 17:58 hello.out
Result
This code creates a home directory for a new user, and makes that user the owner of the directory. If the new directory cannot be owned by the user, the directory is deleted.
function createUserDir($username){ $path = '/home/'.$username; if(!mkdir($path)){ return false; } if(!chown($path,$username)){ rmdir($path); return false; } return true; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2021-47742 Epic Games Psyonix Rocket League <=1.95 Elevation of Privileges via Insecure Permissions — Epic Games Psyonix Rocket League 8.8 High2025-12-31
CVE-2019-25245 Ross Video DashBoard 8.5.1 Privilege Escalation via Insecure Permissions — DashBoard 8.8 High2025-12-24
CVE-2025-13703 VIPRE Advanced Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability — Advanced Security 7.8AIHighAI2025-12-23
CVE-2022-50690 Wondershare MirrorGo 2.0.11.346 Local Privilege Escalation via Insecure File Permissions — Wondershare MirrorGo 8.4 High2025-12-22
CVE-2023-53949 AspEmail 5.6.0.2 Local Privilege Escalation via Binary Permission Vulnerability — AspEmail 8.4 High2025-12-19
CVE-2025-13941 Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability — Foxit PDF Reader 8.8 High2025-12-19
CVE-2025-68462 Freedombox 安全漏洞 — FreedomBox 3.2 Low2025-12-18
CVE-2025-34288 Nagios XI Privilege Escalation via Writable PHP Include Executed with Sudo — Nagios XI 7.8AIHighAI2025-12-16
CVE-2025-13733 BuhoNTFS 1.3.2 - Local Privilege Escalation — BuhoNTFS 7.8AIHighAI2025-12-12
CVE-2025-40818 Siemens SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Server 3.3 Low2025-12-09
CVE-2025-8148 CVE-2025-8148 Improper Access Control in SFTP service of GoAnywhere MFT — GoAnywhere MFT 4.2 Medium2025-12-05
CVE-2025-20387 Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade — Splunk Enterprise 8.0 High2025-12-03
CVE-2025-20386 Incorrect permission assignment on Splunk Enterprise for Windows during new installation or upgrade — Splunk Enterprise 8.0 High2025-12-03
CVE-2025-62575 Mirion Medical EC2 Software NMIS BioDose Incorrect Permission Assignment for Critical Resource — EC2 Software NMIS BioDose 8.3 High2025-12-02
CVE-2025-64298 Mirion Medical EC2 Software NMIS BioDose Incorrect Permission Assignment for Critical Resource — EC2 Software NMIS BioDose 8.4 High2025-12-02
CVE-2025-64642 Mirion Medical EC2 Software NMIS BioDose Incorrect Permission Assignment for Critical Resource — EC2 Software NMIS BioDose 8.0 High2025-12-02
CVE-2025-59373 ASUS MyASUS 安全漏洞 — MyASUS 7.8AIHighAI2025-11-25
CVE-2025-11921 iStat Menus 7.10.4 - Local Privilege Escalation — iStats 7.8AIHighAI2025-11-24
CVE-2025-64996 Overly broad file permissions in the mk_inotify plugin allows reading and manipulating the plugin's output — Checkmk 7.1AIHighAI2025-11-18
CVE-2025-34323 Nagios Log Server < 2026R1.0.1 Local Privilege Escalation via Writable Scripts and Sudo Rules — Log Server 7.8AIHighAI2025-11-17
CVE-2024-32014 Siemens Spectrum Power 安全漏洞 — Spectrum Power 4 4.7 Medium2025-11-11
CVE-2024-32010 Siemens Spectrum Power 安全漏洞 — Spectrum Power 4 7.8 High2025-11-11
CVE-2025-6779 AXIS OS 安全漏洞 — AXIS OS 6.7 Medium2025-11-11
CVE-2025-64322 Salesforce Agentforce Vibes Extension 安全漏洞 — Agentforce Vibes Extension 8.8AIHighAI2025-11-04
CVE-2025-64319 Salesforce Mulesoft Anypoint Code Builder 安全漏洞 — Mulesoft Anypoint Code Builder 8.8AIHighAI2025-11-04
CVE-2025-4952 Denial-of-service vulnerability in ESET security products for Windows — ESET NOD32 Antivirus 9.1 -2025-10-31
CVE-2025-34287 Nagios XI < 2024R2 Privilege Escalation via process_perfdata.pl — XI 7.8AIHighAI2025-10-30
CVE-2025-34135 Nagios XI < 2024R1.4.2 Overly Permissive Permissions on Systemd Unit Files — XI 7.8AIHighAI2025-10-30
CVE-2025-11906 Privilege escalation via writable configuration files in Progress Flowmon — Flowmon 6.7 Medium2025-10-30
CVE-2025-54546 On affected platforms, restricted users could use SSH port forwarding to access host-internal services — DANZ Monitoring Fabric 7.5 High2025-10-29

Vulnerabilities classified as CWE-732 (关键资源的不正确权限授予) represent 447 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.