CWE · MITRE source
CWE-269Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (54)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
PS-1 | Policy and Procedures | PS | Documented procedures for role definition, privilege assignment, and removal provide the management framework that prevents improper privilege management. |
PS-2 | Position Risk Designation | PS | Periodic review of position risk levels forces re-evaluation of privilege assignments and prevents drift toward excessive rights for individuals. |
PS-3 | Personnel Screening | PS | Vetting individuals before privilege assignment lowers the likelihood that privileges will be given to people who will misuse them, directly mitigating improper privilege management. |
PM-10 | Authorization Process | PM | Designating specific roles and responsibilities for authorization and risk management directly mitigates improper privilege management across the organization. |
PM-12 | Insider Threat Program | PM | Cross-discipline incident team detects and responds to improper privilege assignments or escalations by insiders. |
PM-2 | Information Security Program Leadership Role | PM | Dedicated senior leadership with resources directly enables consistent organization-wide privilege management and enforcement of least privilege. |
SC-2 | Separation of System and User Functionality | SC | The control enforces proper privilege boundaries by ensuring user functionality cannot invoke or manage system-level privileges. |
SC-27 | Platform-independent Applications | SC | The abstraction layer of platform-independent applications allows centralized privilege management inside the runtime rather than scattered OS-level calls. |
SC-3 | Security Function Isolation | SC | The control enforces separation so that privilege management decisions and operations for security functions cannot be influenced or subverted by non-security code. |
AC-1 | Policy and Procedures | AC | Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments. |
AC-13 | Supervision and Review — Access Control | AC | Access supervision ensures privileges are assigned and managed without improper escalation or retention. |
AC-2 | Account Management | AC | Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management. |
CM-2 | Baseline Configuration | CM | Baseline configuration documents and controls privilege assignments, making improper privilege management harder to introduce or sustain. |
CM-3 | Configuration Change Control | CM | Manages privileges for change control activities and provides oversight to prevent improper privilege use in configuration updates. |
CM-4 | Impact Analyses | CM | Reviewing changes for security impacts prevents introduction of improper privilege assignments or escalations. |
Show 39 more broadly-applicable controls
PS-4 | Personnel Termination | PS | Explicit revocation of privileges and access rights addresses improper privilege management after employment ends. |
PS-5 | Personnel Transfer | PS | Requires explicit review and modification of privileges when personnel change roles, directly preventing improper ongoing privilege management. |
PS-7 | External Personnel Security | PS | Mandates documented personnel security requirements and compliance monitoring for external providers' system privileges and credentials. |
PS-8 | Personnel Sanctions | PS | Sanctions process enforces accountability for improper privilege assignments and management actions that breach policy. |
PS-9 | Position Descriptions | PS | Documenting security and privacy duties per position provides the foundation for consistent and correct privilege management across the organization. |
PM-29 | Risk Management Program Leadership Roles | PM | Senior risk management leadership and cross-org risk view enforce proper privilege management and prevent ad-hoc or inconsistent assignments. |
PM-32 | Purposing | PM | Drives ongoing review and correction of privilege assignments that have drifted from intended operational need. |
PM-7 | Enterprise Architecture | PM | Enterprise architecture incorporates least-privilege principles and role definitions organization-wide, addressing improper privilege management. |
PM-9 | Risk Management Strategy | PM | Strategy development and consistent implementation enforce privilege management and least-privilege principles across systems. |
SC-39 | Process Isolation | SC | Separate execution domains enforce privilege boundaries so that improper privilege management within one process cannot affect others. |
SC-43 | Usage Restrictions | SC | Usage restrictions and implementation guidelines limit how privileges may be exercised with the specified components. |
SC-49 | Hardware-enforced Separation and Policy Enforcement | SC | Hardware policy enforcement prevents improper privilege assignment or escalation across separated execution domains. |
SC-50 | Software-enforced Separation and Policy Enforcement | SC | Policy enforcement mechanisms limit privilege escalation and improper privilege assignments across boundaries. |
AC-25 | Reference Monitor | AC | Enforces proper privilege management by requiring all decisions through the verified reference monitor. |
AC-5 | Separation of Duties | AC | By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process. |
AC-6 | Least Privilege | AC | Implements core proper privilege management by restricting to only required rights. |
CM-5 | Access Restrictions for Change | CM | Restricting who can perform changes helps ensure privileges are managed properly rather than assigned broadly. |
CM-6 | Configuration Settings | CM | Managing and monitoring configuration settings supports proper privilege management and avoids improper assignments. |
CM-9 | Configuration Management Plan | CM | Defines roles and responsibilities to ensure proper privilege management during configuration changes. |
SA-14 | Criticality Analysis | SA | By determining which components are critical, the analysis drives proper privilege assignment and management for those components, limiting attacker escalation paths. |
SA-16 | Developer-provided Training | SA | Developer training on implemented privilege management controls prevents improper assignment or escalation through correct configuration and operation. |
SA-7 | User-installed Software | SA | Directly enforces proper management of privileges required to install software. |
SA-8 | Security and Privacy Engineering Principles | SA | Least-privilege and separation-of-duties principles prevent improper privilege management. |
PL-11 | Baseline Tailoring | PL | Baseline tailoring enforces organization-specific privilege-management decisions rather than accepting generic high-water-mark settings. |
PL-7 | Concept of Operations | PL | The documented concept of operations forces organizations to specify how privileges will be assigned, used, and reviewed, directly limiting improper privilege management in day-to-day operations. |
PL-9 | Central Management | PL | Centralized privilege assignment and oversight prevent ad-hoc or excessive privilege grants that occur when each system is configured independently. |
AT-1 | Policy and Procedures | AT | Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses. |
AT-3 | Role-based Training | AT | Training covers proper privilege management practices, making incorrect privilege assignments less likely. |
CA-4 | Security Certification | CA | The control mandates review of privilege assignments to ensure they are appropriate and minimal. |
CA-9 | Internal System Connections | CA | Terminating and reviewing connections manages privileges associated with internal interfaces. |
MA-5 | Maintenance Personnel | MA | Manages privileges by authorizing only approved personnel and supervising those lacking required authorizations for maintenance. |
MA-7 | Field Maintenance | MA | Maintenance typically requires elevated privileges; limiting field maintenance helps enforce proper privilege management. |
PE-1 | Policy and Procedures | PE | Designates roles and review processes for managing physical privileges and access rights. |
PE-16 | Delivery and Removal | PE | Manages physical access privileges by restricting who can deliver or remove system components. |
RA-1 | Policy and Procedures | RA | Periodic policy-driven reviews of privileges and roles make improper privilege management more likely to be detected and corrected. |
RA-10 | Threat Hunting | RA | Privilege abuse or escalation attempts are detectable via indicators that threat hunting is designed to surface. |
AU-6 | Audit Record Review, Analysis, and Reporting | AU | Review helps detect improper privilege management by flagging unauthorized privilege changes or uses. |
CP-10 | System Recovery and Reconstitution | CP | Recovery ensures return to a state with correctly assigned and managed privileges. |
SI-1 | Policy and Procedures | SI | Policy mandates proper privilege assignment and review processes, making improper privilege management harder to overlook or sustain. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-5689 KEV | 9.6 | 9.8 | 0.9419 | 2017-05-02 |
CVE-2021-20021 KEV | 9.5 | 9.8 | 0.9170 | 2021-04-09 |
CVE-2020-8655 KEV | 8.9 | 7.8 | 0.8838 | 2020-02-07 |
CVE-2013-0643 KEV | 7.6 | 8.8 | 0.6420 | 2013-02-27 |
CVE-2017-12635 | 7.6 | 9.8 | 0.9410 | 2017-11-14 |
CVE-2021-34621 | 7.6 | 9.8 | 0.9348 | 2021-07-07 |
CVE-2022-24637 | 7.6 | 9.8 | 0.9385 | 2022-03-18 |
CVE-2020-13638 | 7.5 | 9.8 | 0.9220 | 2020-11-13 |
CVE-2021-38540 | 7.5 | 9.8 | 0.9178 | 2021-09-09 |
CVE-2020-3243 | 7.4 | 9.8 | 0.9020 | 2020-04-15 |
CVE-2020-3250 | 7.3 | 9.8 | 0.8969 | 2020-04-15 |
CVE-2021-35064 | 7.3 | 9.8 | 0.8955 | 2021-07-12 |
CVE-2020-16875 | 6.9 | 8.4 | 0.8682 | 2020-09-11 |
CVE-2023-28434 KEV | 6.9 | 8.8 | 0.5209 | 2023-03-22 |
CVE-2019-1405 KEV | 6.8 | 7.8 | 0.5391 | 2019-11-12 |
CVE-2022-0441 | 6.8 | 9.8 | 0.8135 | 2022-03-07 |
CVE-2017-11467 | 6.5 | 9.8 | 0.7631 | 2017-07-20 |
CVE-2014-1510 | 6.2 | 9.8 | 0.7109 | 2014-03-19 |
CVE-2014-1511 | 6.2 | 9.8 | 0.7049 | 2014-03-19 |
CVE-2019-25066 | 5.9 | 6.3 | 0.7764 | 2022-06-09 |
CVE-2017-5254 | 5.8 | 8.8 | 0.6759 | 2017-12-20 |
CVE-2016-10972 | 5.7 | 9.8 | 0.6305 | 2019-09-16 |
CVE-2020-36155 | 5.7 | 10.0 | 0.6202 | 2021-01-04 |
CVE-2021-34622 | 5.7 | 9.8 | 0.6156 | 2021-07-07 |
CVE-2024-26169 KEV | 5.6 | 7.8 | 0.3458 | 2024-03-12 |