VYPR

CWE-732

Incorrect Permission Assignment for Critical Resource

ClassDraftLikelihood: High

Description

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-122 · CAPEC-127 · CAPEC-17 · CAPEC-180 · CAPEC-206 · CAPEC-234 · CAPEC-60 · CAPEC-61 · CAPEC-62 · CAPEC-642

CVEs mapped to this weakness (623)

page 9 of 32
  • CVE-2017-6104HigMar 2, 2017
    risk 0.52cvss 7.5epss 0.07

    Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0.

  • CVE-2026-50209HigJun 4, 2026
    risk 0.51cvss 7.8epss 0.00

    Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.

  • CVE-2026-27788HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    Incorrect permission assignment for critical resource issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM…

  • CVE-2026-25112HigMay 26, 2026
    risk 0.51cvss 7.8epss 0.00

    A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack.

  • CVE-2026-41217HigMay 13, 2026
    risk 0.51cvss 7.9epss 0.00

    A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit…

  • CVE-2026-8110HigMay 12, 2026
    risk 0.51cvss 7.8epss 0.00

    Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

  • CVE-2026-41288HigMay 6, 2026
    risk 0.51cvss 7.8epss 0.00

    Incorrect permission assignment for a resource in the patch management component of the WatchGuard Agent on Windows allows an authenticated local user to elevate their privileges to NT AUTHORITY\\SYSTEM.

  • CVE-2026-22676HigApr 15, 2026
    risk 0.51cvss 7.8epss 0.00

    Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation…

  • CVE-2026-3315HigMar 10, 2026
    risk 0.51cvss 7.8epss 0.00

    Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33.

  • CVE-2026-2637HigMar 3, 2026
    risk 0.51cvss 7.8epss 0.00

    iBoysoft NTFS for Mac contains a local privilege escalation vulnerability in its privileged helper daemon ntfshelperd. The daemon exposes an NSConnection service that runs as root without implementing any authentication or authorization checks. This issue affects iBoysoft…

  • CVE-2026-23648HigFeb 17, 2026
    risk 0.51cvss 7.8epss 0.00

    Glory RBG-100 recycler systems using the ISPK-08 software component contain multiple system binaries with overly permissive file permissions. Several binaries executed by the root user are writable and executable by unprivileged local users. An attacker with local access can…

  • CVE-2019-25343HigFeb 12, 2026
    risk 0.51cvss 7.8epss 0.00

    NextVPN 4.10 contains an insecure file permissions vulnerability that allows local users to modify executable files with full access rights. Attackers can replace system executables with malicious files to gain SYSTEM or Administrator privileges through unauthorized file…

  • CVE-2025-14979HigJan 6, 2026
    risk 0.51cvss 7.8epss 0.00

    AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.

  • CVE-2025-13703HigDec 23, 2025
    risk 0.51cvss 7.8epss 0.00

    VIPRE Advanced Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security for PC. An attacker must first obtain the ability to execute…

  • CVE-2024-32010HigNov 11, 2025
    risk 0.51cvss 7.8epss 0.00

    A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to extraction of database credentials via a world-readable credential file. This allows an attacker to connect to the database as privileged…

  • CVE-2025-54545HigOct 29, 2025
    risk 0.51cvss 7.8epss 0.00

    On affected platforms, a restricted user could break out of the CLI sandbox to the system shell and elevate their privileges.

  • CVE-2025-10541HigSep 25, 2025
    risk 0.51cvss 7.8epss 0.00

    iMonitor EAM 9.6394 installs a system service (eamusbsrv64.exe) that runs with NT AUTHORITY\SYSTEM privileges. This service includes an insecure update mechanism that automatically loads files placed in the C:\sysupdate\ directory during startup. Because any local user can…

  • CVE-2025-9578HigAug 28, 2025
    risk 0.51cvss 7.8epss 0.00

    Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 40734.

  • CVE-2025-50675HigAug 7, 2025
    risk 0.51cvss 7.8epss 0.00

    GPMAW 14, a bioinformatics software, has a critical vulnerability related to insecure file permissions in its installation directory. The directory is accessible with full read, write, and execute permissions for all users, allowing unprivileged users to manipulate files within…

  • CVE-2024-50590HigNov 8, 2024
    risk 0.51cvss 7.8epss 0.00

    Attackers with local access to the medical office computer can escalate their Windows user privileges to "NT AUTHORITY\SYSTEM" by overwriting one of two Elefant service binaries with weak permissions. The default installation directory of Elefant is "C:\Elefant1" which is …