CWE-732
Incorrect Permission Assignment for Critical Resource
ClassDraftLikelihood: High
Description
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-122 · CAPEC-127 · CAPEC-17 · CAPEC-180 · CAPEC-206 · CAPEC-234 · CAPEC-60 · CAPEC-61 · CAPEC-62 · CAPEC-642
CVEs mapped to this weakness (295)
page 4 of 15| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-10526 | Hig | 0.56 | — | 0.00 | Nov 7, 2024 | Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely. This issue is fixed in version 0.73.3. | |
| CVE-2026-8069 | Hig | 0.55 | — | 0.00 | May 8, 2026 | PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges. | |
| CVE-2025-12985 | Hig | 0.55 | 8.4 | 0.00 | Jan 20, 2026 | IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. | |
| CVE-2021-47756 | Hig | 0.55 | 8.4 | 0.00 | Jan 16, 2026 | Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication. | |
| CVE-2022-50690 | Hig | 0.55 | 8.4 | 0.00 | Dec 22, 2025 | Wondershare MirrorGo 2.0.11.346 contains a local privilege escalation vulnerability due to incorrect file permissions on executable files. Unprivileged local users can replace the ElevationService.exe with a malicious file to execute arbitrary code with LocalSystem privileges. | |
| CVE-2023-53949 | Hig | 0.55 | 8.4 | 0.00 | Dec 19, 2025 | AspEmail 5.6.0.2 contains a binary permission vulnerability that allows local users to escalate privileges through the Persits Software EmailAgent service. Attackers can exploit full write permissions in the BIN directory to replace the service executable and gain elevated system access. | |
| CVE-2025-59373 | Hig | 0.55 | — | 0.00 | Nov 25, 2025 | A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM. For more information, please refer to section Security Update for MyASUS in the ASUS Security Advisory. | |
| CVE-2025-11921 | Hig | 0.55 | — | 0.00 | Nov 24, 2025 | iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4. | |
| CVE-2025-40672 | Hig | 0.55 | — | 0.00 | May 26, 2025 | A Privilege Escalation vulnerability has been found in Panloader component v3.24.0.0 by Espiral MS Group. This vulnerability allows any user to override the file panLoad.exe that will be executed by SYSTEM user via a programmed task. This would allow an attacker to obtain administrator permissions to perform whatever activities he/she wants, shuch as accessing sensitive information, executing code remotely, and even causing a denial of service (DoS). | |
| CVE-2025-2098 | Hig | 0.55 | — | 0.00 | Mar 26, 2025 | Fast CAD Reader application on MacOS was found to be installed with incorrect file permissions (rwxrwxrwx). This is inconsistent with standard macOS security practices, where applications should have drwxr-xr-x permissions. Incorrect permissions allow for Dylib Hijacking. Guest account, other users and applications can exploit this vulnerability for privilege escalation. This issue affects Fast CAD Reader in possibly all versions since the vendor has not responded to our messages. The tested version was 4.1.5 | |
| CVE-2024-10209 | Hig | 0.55 | — | 0.00 | Mar 25, 2025 | An Incorrect Permission Assignment for Critical Resource vulnerability in the file system used in B&R APROL <4.4-01 may allow an authenticated local attacker to read and alter the configuration of another engineering or runtime user. | |
| CVE-2025-1413 | Hig | 0.55 | — | 0.00 | Feb 28, 2025 | DaVinci Resolve on MacOS was found to be installed with incorrect file permissions (rwxrwxrwx). This is inconsistent with standard macOS security practices, where applications should have drwxr-xr-x permissions. Incorrect permissions allow for Dylib Hijacking. Guest account, other users and applications can exploit this vulnerability for privilege escalation. This issue affects DaVinci Resolve on MacOS in versions before 19.1.3. | |
| CVE-2024-6619 | Hig | 0.55 | — | 0.00 | Aug 13, 2024 | In Ocean Data Systems Dream Report, an incorrect permission vulnerability could allow a local unprivileged attacker to escalate their privileges and could cause a denial-of-service. | |
| CVE-2017-11652 | Hig | 0.55 | 8.4 | 0.00 | Aug 18, 2017 | Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the CrashReporter directory, which allows local users to gain privileges via a Trojan horse dbghelp.dll file. | |
| CVE-2017-8665 | Hig | 0.55 | 7.8 | 0.11 | Aug 15, 2017 | The Xamarin.iOS update component on systems running macOS allows an attacker to run arbitrary code as root, aka "Xamarin.iOS Elevation Of Privilege Vulnerability." | |
| CVE-2017-6104 | Hig | 0.55 | 7.5 | 0.39 | Mar 2, 2017 | Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0. | |
| CVE-2025-41659 | Hig | 0.54 | 8.3 | 0.00 | Aug 4, 2025 | A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted. | |
| CVE-2017-16895 | Hig | 0.54 | 7.8 | 0.00 | Dec 1, 2017 | The (1) arq_updater, (2) arqcommitter, (3) standardrestorer, (4) arqglacierrestorer, and (5) arqs3glacierrestorer helper apps in Arq 5.x before 5.10 for Mac allow local users to gain root privileges via a crafted data packet. | |
| CVE-2009-3489 | Hig | 0.54 | 7.8 | 0.00 | Sep 30, 2009 | Adobe Photoshop Elements 8.0 installs the Adobe Active File Monitor V8 service with an insecure security descriptor, which allows local users to (1) stop the service via the stop command, (2) execute arbitrary commands as SYSTEM by using the config command to modify the binPath variable, or (3) restart the service via the start command. | |
| CVE-2025-54497 | Hig | 0.53 | 8.1 | 0.00 | Sep 18, 2025 | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSerialPort functionality to modify relevant device properties (such as serial interface settings), contradicting the security model proposed in the user manual. |