Cyber Posture

CWE · MITRE source

CWE-653Improper Isolation or Compartmentalization

Abstraction: Class · CVEs in our corpus: 52

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (26)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-2Separation of System and User FunctionalitySCDirectly requires isolation/compartmentalization of user services from system management functions.
SC-3Security Function IsolationSCThe control directly supplies the compartmentalization that CWE-653 requires between security and non-security domains.
SC-32System PartitioningSCDirectly implements isolation and compartmentalization by placing components into separate domains or environments.
SA-14Criticality AnalysisSACriticality analysis informs isolation and compartmentalization decisions for high-value components, reducing the attack surface that an adversary can reach after an initial compromise.
SA-17Developer Security and Privacy Architecture and DesignSARequires the architecture to show how functions work together as a unified protection approach, reducing improper isolation or compartmentalization.
SA-18Tamper Resistance and DetectionSAIsolation and compartmentalization techniques are core to tamper resistance, limiting an attacker's ability to reach or alter protected components.
PM-19Privacy Program Leadership RolePMOrganization-wide privacy program leadership ensures proper isolation and compartmentalization of personal data.
PM-24Data Integrity BoardPMOversight ensures data-matching activities maintain required isolation between distinct data sets and authorized user communities.
PM-32PurposingPMVerifies that mission-essential functions remain isolated and not repurposed across compartment boundaries.
AC-20Use of External SystemsACDefines isolation boundaries by specifying which external systems may access or process organization data.
AC-4Information Flow EnforcementACMaintains isolation and compartmentalization by restricting flows between security domains or levels.
PL-7Concept of OperationsPLThe CONOPS must articulate isolation and compartmentalization expectations for security and privacy, making architectural failures in separation of duties or domains harder to overlook.
PL-8Security and Privacy ArchitecturesPLSecurity architectures commonly incorporate isolation and compartmentalization strategies to limit the impact of compromises.
CA-9Internal System ConnectionsCAReviewing the continued need for connections supports isolation and compartmentalization.
PE-23Facility LocationPELocating systems away from hazards improves isolation and compartmentalization from external physical or environmental threats.
Show 11 more broadly-applicable controls
SC-36Distributed Processing and StorageSCExplicitly distributes components to achieve compartmentalization, making it harder to exploit weak isolation boundaries between processing or storage elements.
SC-39Process IsolationSCThe control is a direct realization of proper isolation and compartmentalization, eliminating the weakness of shared execution domains.
SC-46Cross Domain Policy EnforcementSCPolicy enforcement between domains strengthens isolation and compartmentalization, reducing the ability to exploit weak separation of security contexts.
SC-47Alternate Communications PathsSCProviding a distinct alternate path directly implements compartmentalization of critical command-and-control communications.
SC-49Hardware-enforced Separation and Policy EnforcementSCThe control explicitly provides hardware-backed isolation and compartmentalization between domains or components.
SC-50Software-enforced Separation and Policy EnforcementSCExplicitly requires isolation and compartmentalization mechanisms that address failures in separating security domains.
SA-23SpecializationSADedicated specialized components isolate mission-essential services from general-purpose systems, strengthening compartmentalization.
SA-24Design For Cyber ResiliencySACommon cyber resiliency techniques include compartmentalization and isolation to limit blast radius, directly addressing improper isolation.
SA-8Security and Privacy Engineering PrinciplesSASeparation-of-privilege and least-common-mechanism principles enforce proper isolation.
PM-7Enterprise ArchitecturePMArchitecture explicitly designs isolation, segmentation, and compartmentalization (e.g., networks, data flows), preventing improper isolation weaknesses.
SI-22Information DiversitySIImplements compartmentalization across independent information sources so that compromise of one does not disable essential operations.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-19747.49.80.91132025-03-25
CVE-2025-21590 KEV3.04.40.01752025-03-12
CVE-2024-337682.09.80.00172024-05-01
CVE-2025-40831.89.10.00412025-04-29
CVE-2025-54761.88.80.00072025-06-21
CVE-2024-236821.78.20.00282024-01-19
CVE-2024-236831.78.20.00182024-01-19
CVE-2023-13051.68.10.00332023-03-21
CVE-2025-201091.67.80.00022025-08-12
CVE-2025-342011.67.80.00062025-09-19
CVE-2025-128051.68.10.00012026-03-26
CVE-2024-475201.57.60.00122025-01-10
CVE-2024-01351.57.60.00102025-01-28
CVE-2024-01361.57.60.00102025-01-28
CVE-2025-416881.57.20.00212025-07-31
CVE-2025-537101.57.50.00082025-12-18
CVE-2026-42821.57.40.00042026-04-02
CVE-2025-30861.47.10.00102025-04-04
CVE-2025-577381.47.20.00092025-10-20
CVE-2026-347751.46.80.00012026-04-04
CVE-2024-303881.36.50.00082024-04-12
CVE-2024-577201.36.50.00302025-01-23
CVE-2024-577211.36.50.00302025-01-23
CVE-2024-577231.36.50.00302025-01-23
CVE-2024-554561.36.50.00092025-02-03