VYPR

CWE-250

Execution with Unnecessary Privileges

BaseDraftLikelihood: Medium

Description

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-104 · CAPEC-470 · CAPEC-69

CVEs mapped to this weakness (139)

page 2 of 7
  • CVE-2026-46748HigJun 9, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected system includes a binary that is configured with the cap_dac_override capability. This capability allows the process to bypass file system permission checks, resulting in…

  • CVE-2026-44477CriMay 28, 2026
    risk 0.57cvss 9.9epss 0.00

    CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session…

  • CVE-2026-32673HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In appliance mode deployments, a successful exploit can allow the…

  • CVE-2026-32643HigMay 13, 2026
    risk 0.57cvss 8.7epss 0.00

    A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of Technical…

  • CVE-2026-34877CriApr 2, 2026
    risk 0.57cvss 9.8epss 0.00

    An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code…

  • CVE-2025-13506HigDec 12, 2025
    risk 0.57cvss 8.8epss 0.00

    Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the Database. This issue affects Nebim V3 ERP: from 2.0.59 before 3.0.1.

  • CVE-2025-32445CriApr 15, 2025
    risk 0.57cvss 9.9epss 0.01

    Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The…

  • CVE-2025-22368HigMar 11, 2025
    risk 0.57cvss epss 0.01

    The authenticated SCU firmware command of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS commands are improperly neutralized when certain fields are passed to the underlying OS.

  • CVE-2025-22367HigMar 11, 2025
    risk 0.57cvss epss 0.01

    The authenticated time setting capability of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS command are improperly neutralized when certain fields are passed to the underlying OS.

  • CVE-2025-22366HigMar 11, 2025
    risk 0.57cvss epss 0.01

    The authenticated firmware update capability of the firmware for Mennekes Smart / Premium Chargingpoints can be abused for command execution because OS command are improperly neutralized when certain fields are passed to the underlying OS.

  • CVE-2024-43654HigJan 9, 2025
    risk 0.57cvss 8.8epss 0.02

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Iocharger firmware for AC models allows OS Command Injection as root This issue affects all Iocharger AC EV charger models on a firmware version before 25010801. Likelihood:…

  • CVE-2024-43653HigJan 9, 2025
    risk 0.57cvss 8.8epss 0.02

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability  allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: Moderate – The binary does not…

  • CVE-2024-43652HigJan 9, 2025
    risk 0.57cvss 8.8epss 0.02

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701 Likelihood: Moderate – The binary does not seem…

  • CVE-2024-43649HigJan 9, 2025
    risk 0.57cvss 8.8epss 0.02

    Authenticated command injection in the filename of a .exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place for command…

  • CVE-2024-43648HigJan 9, 2025
    risk 0.57cvss 8.8epss 0.02

    Command injection in the parameter of a .exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place for command…

  • CVE-2024-28139HigDec 11, 2024
    risk 0.57cvss 8.8epss 0.01

    The www-data user can elevate its privileges because sudo is configured to allow the execution of the mount command as root without a password. Therefore, the privileges can be escalated to the root user. The risk has been accepted by the vendor and won't be fixed in the near…

  • CVE-2024-11075HigNov 19, 2024
    risk 0.57cvss 8.8epss 0.00

    A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting…

  • CVE-2024-8781HigNov 18, 2024
    risk 0.57cvss epss 0.00

    Execution with Unnecessary Privileges, : Improper Protection of Alternate Path vulnerability in TR7 Application Security Platform (ASP) allows Privilege Escalation, -Privilege Abuse. This issue affects Application Security Platform (ASP): v1.4.25.188.

  • CVE-2023-50015HigMar 9, 2024
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in Grandstream GXP14XX 1.0.8.9 and GXP16XX 1.0.7.13, allows remote attackers to escalate privileges via incorrect access control using an end-user session-identity token.

  • CVE-2018-8853HigMay 4, 2018
    risk 0.57cvss 8.8epss 0.00

    Philips Brilliance CT devices operate user functions from within a contained kiosk in a Microsoft Windows operating system. Windows boots by default with elevated Windows privileges, enabling a kiosk application, user, or an attacker to potentially attain unauthorized elevated…