CWE · MITRE source
CWE-250Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (43)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-2 | Separation of System and User Functionality | SC | Separating user-facing code from system management functions directly prevents execution of privileged operations from untrusted user contexts. |
SC-25 | Thin Nodes | SC | Minimal functionality inherently eliminates execution of unneeded code paths and associated privileges. |
SC-27 | Platform-independent Applications | SC | Runtimes for platform-independent applications commonly support configurable security managers or sandboxes that enforce least privilege by default. |
PS-1 | Policy and Procedures | PS | Personnel security policy and procedures enforce least-privilege assignment, periodic review, and revocation on termination or role change, directly reducing unnecessary privileges. |
PS-2 | Position Risk Designation | PS | Risk designation and screening for elevated positions directly reduces the chance that unvetted personnel receive or retain unnecessary privileges. |
PS-3 | Personnel Screening | PS | Screening supports assignment of access only to those who have been evaluated, reducing execution with unnecessary privileges by untrusted or unqualified personnel. |
SA-14 | Criticality Analysis | SA | Criticality analysis identifies high-impact functions so that unnecessary privileges can be removed from them, directly reducing the exploitability of excessive-privilege weaknesses. |
SA-16 | Developer-provided Training | SA | Training on correct operation of privilege-related security functions directly reduces unnecessary privilege execution by teaching least-privilege usage. |
SA-23 | Specialization | SA | Specialized components can be engineered and configured to execute only the minimal necessary functionality and privileges for the essential service. |
AC-1 | Policy and Procedures | AC | Policy promotes least privilege by defining necessary privileges and management commitment to them. |
AC-13 | Supervision and Review — Access Control | AC | Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights. |
AC-2 | Account Management | AC | Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges. |
PM-10 | Authorization Process | PM | Integration of authorization into organization-wide risk management includes evaluation of privileges, making execution with unnecessary privileges less likely to be approved. |
PM-12 | Insider Threat Program | PM | Insider threat program enforces least-privilege reviews and monitors privileged actions, directly reducing abuse of unnecessary rights. |
PM-13 | Security and Privacy Workforce | PM | Workforce programs emphasize least-privilege principles, directly reducing unnecessary privilege assignments. |
Show 28 more broadly-applicable controls
SC-3 | Security Function Isolation | SC | Isolating security functions allows them to execute with only the privileges they require while preventing non-security code from inheriting or accessing those privileges. |
SC-32 | System Partitioning | SC | Enables execution with minimal necessary privileges by isolating components into distinct environments. |
SC-39 | Process Isolation | SC | Process isolation confines each process to its own execution domain, preventing one process from exercising the privileges or resources belonging to another. |
SC-43 | Usage Restrictions | SC | Authorizing only necessary component uses reduces the chance of processes running with extraneous privileges. |
SC-49 | Hardware-enforced Separation and Policy Enforcement | SC | Mandatory hardware separation makes it harder to run code with unnecessary privileges by isolating privilege domains. |
SC-50 | Software-enforced Separation and Policy Enforcement | SC | Separation and policy enforcement reduce the ability to execute with unnecessary privileges by isolating higher-privilege functions. |
PS-4 | Personnel Termination | PS | Disabling access and retrieving security-related property prevents continued execution with unnecessary privileges by ex-employees. |
PS-6 | Access Agreements | PS | Access agreements document and require acknowledgment of assigned privileges, making execution with unnecessary privileges less likely by establishing accountability and expected behavior. |
PS-7 | External Personnel Security | PS | Requires notification of external personnel terminations and monitors revocation of credentials/privileges, directly reducing retained unnecessary access. |
PS-8 | Personnel Sanctions | PS | Formal sanctions deter personnel from violating least-privilege policies by imposing consequences for unnecessary privilege use. |
PS-9 | Position Descriptions | PS | Position descriptions that explicitly define security responsibilities directly support assignment of only the privileges needed for a role, reducing execution with unnecessary privileges. |
SA-5 | System Documentation | SA | Documentation on secure operation of privileged functions and known vulnerabilities directly reduces execution with unnecessary privileges. |
SA-7 | User-installed Software | SA | Restricts users from obtaining or retaining unnecessary installation/execution privileges. |
SA-8 | Security and Privacy Engineering Principles | SA | Least-privilege engineering principle directly reduces execution with unnecessary privileges. |
AC-5 | Separation of Duties | AC | Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges. |
AC-6 | Least Privilege | AC | Directly prevents execution with more privileges than needed for assigned tasks. |
PM-29 | Risk Management Program Leadership Roles | PM | Org-wide risk executive function provides accountability and oversight that directly reduces execution with unnecessary privileges through consistent identification and mitigation. |
PM-32 | Purposing | PM | Identifies privileges or capabilities that exceed what is required for the stated mission purpose, enabling removal. |
CM-2 | Baseline Configuration | CM | Baseline review prevents systems from running with unnecessary privileges by enforcing least-privilege settings. |
CM-5 | Access Restrictions for Change | CM | Limiting change access to only approved entities reduces the risk of unnecessary privileges being available for modifications. |
CM-6 | Configuration Settings | CM | Configuration settings can mandate least-privilege execution, reducing unnecessary privileges. |
CM-7 | Least Functionality | CM | Prohibiting unnecessary functions, ports, protocols, software, and services directly prevents execution with privileges beyond what is required for the system's purpose. |
PL-4 | Rules of Behavior | PL | Rules of behavior explicitly require users to operate with only the privileges needed for their role, directly reducing execution with unnecessary privileges. |
PL-7 | Concept of Operations | PL | CONOPS explicitly defines intended operational roles, procedures, and privilege usage, reducing the likelihood of unnecessary privileges being assigned or retained during system operation. |
AT-3 | Role-based Training | AT | Role-based training on least privilege principles reduces the chance personnel assign or retain unnecessary privileges. |
AU-6 | Audit Record Review, Analysis, and Reporting | AU | Analysis of audit records can identify execution with unnecessary privileges through unusual activity patterns. |
CA-9 | Internal System Connections | CA | Automatic termination after a defined period eliminates unnecessary privileges from persistent connections. |
RA-9 | Criticality Analysis | RA | Knowing which functions and components are critical supports application of least privilege, reducing execution with unnecessary privileges. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-38813 KEV | 5.3 | 7.5 | 0.2953 | 2024-09-17 |
CVE-2023-46360 | 5.1 | 8.8 | 0.5512 | 2024-02-06 |
CVE-2025-40602 KEV | 3.3 | 6.6 | 0.0041 | 2025-12-18 |
CVE-2023-52030 | 2.8 | 9.8 | 0.1482 | 2024-01-11 |
CVE-2024-25421 | 2.1 | 9.8 | 0.0256 | 2024-03-26 |
CVE-2021-41035 | 2.0 | 9.8 | 0.0015 | 2021-10-25 |
CVE-2022-1517 | 2.0 | 10.0 | 0.0055 | 2022-06-24 |
CVE-2022-2634 | 2.0 | 10.0 | 0.0026 | 2022-08-10 |
CVE-2022-44544 | 2.0 | 9.8 | 0.0054 | 2022-11-06 |
CVE-2023-4662 | 2.0 | 9.8 | 0.0074 | 2023-09-15 |
CVE-2024-27143 | 2.0 | 9.8 | 0.0019 | 2024-06-14 |
CVE-2024-3330 | 2.0 | 9.9 | 0.0033 | 2024-06-27 |
CVE-2024-42024 | 2.0 | 8.8 | 0.0431 | 2024-09-07 |
CVE-2024-8767 | 2.0 | 9.9 | 0.0038 | 2024-09-17 |
CVE-2025-32445 | 2.0 | 9.9 | 0.0037 | 2025-04-15 |
CVE-2025-49581 | 2.0 | 8.8 | 0.0387 | 2025-06-13 |
CVE-2025-57119 | 2.0 | 9.8 | 0.0012 | 2025-09-16 |
CVE-2025-34515 | 2.0 | 9.8 | 0.0016 | 2025-10-16 |
CVE-2025-43017 | 2.0 | 9.8 | 0.0004 | 2025-10-28 |
CVE-2025-34274 | 2.0 | 9.8 | 0.0082 | 2025-10-30 |
CVE-2025-33223 | 2.0 | 9.8 | 0.0017 | 2025-12-23 |
CVE-2025-33224 | 2.0 | 9.8 | 0.0004 | 2025-12-23 |
CVE-2025-12420 | 2.0 | 9.8 | 0.0005 | 2026-01-12 |
CVE-2025-13375 | 2.0 | 9.8 | 0.0007 | 2026-02-04 |
CVE-2026-27002 | 2.0 | 9.8 | 0.0002 | 2026-02-20 |