CWE · MITRE source
CWE-276Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (11)AI
Showing the 10 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CM-1 | Policy and Procedures | CM | Establishes requirements for appropriate default permissions on system resources as part of configuration management. |
CM-2 | Baseline Configuration | CM | Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones. |
CM-6 | Configuration Settings | CM | Requiring the most restrictive settings instead of defaults prevents incorrect default permissions on resources. |
AC-1 | Policy and Procedures | AC | Access control policy can specify and enforce secure default permissions for resources. |
AC-6 | Least Privilege | AC | Guides setting of default permissions to the minimum required level. |
PL-11 | Baseline Tailoring | PL | Tailoring explicitly overrides or scopes default permission assignments in the baseline to match the system's actual risk and operational needs. |
PL-9 | Central Management | PL | A central authority can define and push correct default permissions, eliminating the common practice of leaving insecure defaults on individual hosts. |
SA-16 | Developer-provided Training | SA | Training covers proper setting of permissions on resources, reducing incorrect default or inherited permissions after deployment. |
SA-5 | System Documentation | SA | Administrator documentation on secure configuration and default settings prevents incorrect default permissions from remaining in place. |
PE-1 | Policy and Procedures | PE | Requires addressing secure default permissions in physical and environmental protection controls. |
Show 1 more broadly-applicable controls
CM-9 | Configuration Management Plan | CM | Requires documented processes that include setting and maintaining correct default permissions for configuration items. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2013-0632 KEV | 9.5 | 9.8 | 0.9268 | 2013-01-17 |
CVE-2017-11610 | 7.4 | 8.8 | 0.9383 | 2017-08-23 |
CVE-2023-29919 | 7.3 | 9.1 | 0.9185 | 2023-05-23 |
CVE-2023-29923 | 6.2 | 5.3 | 0.8544 | 2023-04-19 |
CVE-2017-8625 | 5.9 | 8.8 | 0.6982 | 2017-08-08 |
CVE-2020-9039 | 5.9 | 9.8 | 0.6611 | 2020-02-22 |
CVE-2020-7943 | 5.4 | 7.5 | 0.6537 | 2020-03-11 |
CVE-2020-11444 | 5.3 | 8.8 | 0.5875 | 2020-04-02 |
CVE-2022-22948 KEV | 4.9 | 6.5 | 0.2601 | 2022-03-29 |
CVE-2020-12834 | 4.7 | 9.8 | 0.4581 | 2020-05-15 |
CVE-2019-17124 | 3.4 | 9.8 | 0.2381 | 2019-10-09 |
CVE-2023-20178 | 3.2 | 7.8 | 0.2774 | 2023-06-28 |
CVE-2021-40904 | 2.9 | 8.8 | 0.1913 | 2022-03-25 |
CVE-2023-27035 | 2.9 | 6.5 | 0.2627 | 2023-05-01 |
CVE-1999-0426 | 2.4 | 9.8 | 0.0812 | 1999-03-01 |
CVE-2022-36640 | 2.4 | 9.8 | 0.0679 | 2022-09-02 |
CVE-2022-27773 | 2.4 | 9.8 | 0.0688 | 2022-12-05 |
CVE-2023-25355 | 2.4 | 8.8 | 0.1077 | 2023-04-04 |
CVE-2023-26918 | 2.4 | 9.8 | 0.0717 | 2023-04-14 |
CVE-2016-5425 | 2.3 | 7.8 | 0.1155 | 2016-10-13 |
CVE-2024-55215 | 2.3 | 9.8 | 0.0487 | 2025-02-07 |
CVE-2019-19896 | 2.2 | 9.9 | 0.0344 | 2020-01-23 |
CVE-2021-44140 | 2.2 | 9.1 | 0.0587 | 2021-11-24 |
CVE-2021-45003 | 2.2 | 9.8 | 0.0337 | 2022-01-10 |
CVE-2022-25943 | 2.2 | 7.8 | 0.0986 | 2022-03-09 |