CWE-732
Incorrect Permission Assignment for Critical Resource
ClassDraftLikelihood: High
Description
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-122 · CAPEC-127 · CAPEC-17 · CAPEC-180 · CAPEC-206 · CAPEC-234 · CAPEC-60 · CAPEC-61 · CAPEC-62 · CAPEC-642
CVEs mapped to this weakness (191)
page 1 of 10| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-125121 | Cri | 0.72 | — | 0.45 | Jul 31, 2025 | Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise. | |
| CVE-2017-20198 | Cri | 0.69 | — | 0.67 | Jul 23, 2025 | The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a malicious Docker image, the attacker can write to /etc/cron.d/ on the host, achieving arbitrary code execution with root privileges. This impacts any system where the Docker daemon honors Marathon container configurations without policy enforcement. | |
| CVE-2025-14988 | Cri | 0.65 | — | 0.00 | Jan 27, 2026 | A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system. | |
| CVE-2025-69426 | Cri | 0.65 | — | 0.00 | Jan 9, 2026 | The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise. | |
| CVE-2025-12004 | Cri | 0.65 | — | 0.00 | Oct 21, 2025 | Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42. | |
| CVE-2025-8042 | Cri | 0.64 | 9.8 | 0.00 | Aug 19, 2025 | Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141. | |
| CVE-2025-43243 | Cri | 0.64 | 9.8 | 0.00 | Jul 30, 2025 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to modify protected parts of the file system. | |
| CVE-2025-25373 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2025 | The Memory Management Module of NASA cFS (Core Flight System) Aquila has insecure permissions, which can be exploited to gain an RCE on the platform. | |
| CVE-2024-10018 | Cri | 0.64 | 9.8 | 0.00 | Oct 16, 2024 | Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component. | |
| CVE-2024-9142 | Cri | 0.64 | 9.8 | 0.00 | Sep 25, 2024 | External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642. | |
| CVE-2024-8039 | Cri | 0.64 | 9.8 | 0.00 | Sep 14, 2024 | Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks. | |
| CVE-2024-5618 | Cri | 0.64 | 9.9 | 0.00 | Jul 18, 2024 | Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Apinizer Management Console: before 2024.05.1. | |
| CVE-2024-5163 | Cri | 0.64 | 9.8 | 0.00 | Jun 17, 2024 | Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks. | |
| CVE-2024-33435 | Cri | 0.64 | 9.8 | 0.03 | Apr 29, 2024 | Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Ncast Yingshi high-definition intelligent recording and playback system 2007-2017 allows a remote attacker to execute arbitrary code via the /manage/IPSetup.php backend function | |
| CVE-2025-30063 | Cri | 0.61 | — | 0.00 | Aug 27, 2025 | The configuration file containing database logins and passwords is readable by any local user. | |
| CVE-2024-3375 | Cri | 0.61 | 9.4 | 0.00 | Apr 29, 2024 | Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dialogue: from v1.83 before v1.83.1 or v1.84. | |
| CVE-2025-41118 | Cri | 0.59 | 9.1 | 0.00 | Apr 15, 2026 | Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program. | |
| CVE-2025-40804 | Cri | 0.59 | 9.1 | 0.00 | Sep 9, 2025 | A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). The affected application exposes a network share without any authentication. This could allow an attacker to access or alter sensitive data without proper authorization. | |
| CVE-2024-53932 | Cri | 0.59 | 9.1 | 0.00 | Jan 6, 2025 | The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component. | |
| CVE-2024-53931 | Cri | 0.59 | 9.1 | 0.00 | Jan 6, 2025 | The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity component. |