Cyber Posture

CWE · MITRE source

CWE-732Incorrect Permission Assignment for Critical Resource

Abstraction: Class · CVEs in our corpus: 1,627

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (72)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-14Public Access ProtectionsSCRequires correct permission settings on public-facing resources to block unauthorized read/write access.
SC-15Collaborative Computing Devices and ApplicationsSCForces correct permission settings on device resources so remote parties cannot activate them.
SC-2Separation of System and User FunctionalitySCEnsures critical system resources and functions receive permission assignments distinct from ordinary user resources.
PM-1Information Security Program PlanPMTreating the plan as a critical resource and requiring it to be protected from unauthorized modification or disclosure drives correct permission assignment.
PM-10Authorization ProcessPMSecurity authorization processes review and approve permission assignments for critical resources, reducing the chance that incorrect permission assignments remain unaddressed.
PM-12Insider Threat ProgramPMProgram reviews and corrects overly permissive resource assignments that insiders could exploit for unauthorized access.
CM-1Policy and ProceduresCMProcedures specify correct permission assignments for critical configuration files and resources as part of baseline and change management.
CM-12Information LocationCMDocumenting users and component locations facilitates correct permission assignments for critical resources.
CM-2Baseline ConfigurationCMMaintaining baseline configuration controls permission assignments for critical resources and detects unauthorized changes.
SA-14Criticality AnalysisSAThe control directly supports correct permission assignment by first determining which resources are critical, thereby lowering the likelihood of insecure permissions on those resources.
SA-16Developer-provided TrainingSATraining on security functions includes correct permission assignment for critical resources, lowering misconfiguration risk.
SA-17Developer Security and Privacy Architecture and DesignSAMandates accurate specification of control allocation, making incorrect default or assigned permissions on critical resources less probable at design time.
PE-1Policy and ProceduresPEPolicy specifies correct permission assignments for physical critical resources and facilities.
PE-10Emergency ShutoffPEThe emergency shutoff is a critical resource whose activation is protected via proper permission assignment.
PE-16Delivery and RemovalPEEnsures correct permission assignments for critical physical resources during delivery and removal processes.
Show 57 more broadly-applicable controls
SC-27Platform-independent ApplicationsSCPlatform-independent applications inherit runtime-enforced resource permissions instead of relying on error-prone native file or process permission assignments.
SC-3Security Function IsolationSCSecurity functions become critical resources whose permissions can be assigned narrowly and independently of the rest of the system.
SC-32System PartitioningSCSupports correct permission assignment by allowing permissions to be scoped to individual partitions rather than a monolithic system.
SC-34Non-modifiable Executable ProgramsSCOverrides or renders irrelevant incorrect permission assignments on critical executable resources by using hardware-level immutability.
SC-39Process IsolationSCBy giving each process its own protected domain, the control reduces the impact of incorrect permission assignments on critical resources shared across processes.
SC-43Usage RestrictionsSCEstablishing usage restrictions and guidelines directly addresses assignment of appropriate permissions to critical components.
SC-49Hardware-enforced Separation and Policy EnforcementSCHardware mechanisms enforce correct permission assignments on critical resources that would otherwise be modifiable by software.
SC-50Software-enforced Separation and Policy EnforcementSCSoftware-enforced separation ensures correct permission assignments on critical resources between domains.
SC-51Hardware-based ProtectionSCDirectly implements hardware-enforced write protection on critical resources instead of relying on potentially incorrect software permissions.
PM-13Security and Privacy WorkforcePMTraining addresses permission management, reducing incorrect permission assignments on critical resources.
PM-23Data Governance BodyPMProvides oversight for correct permission and privilege assignments on data stores, files, and repositories.
PM-29Risk Management Program Leadership RolesPMRisk Executive function drives correct permission assignment for critical resources by requiring risk analysis before granting broad access.
PM-32PurposingPMTriggers re-evaluation of permission assignments on critical resources when usage deviates from declared purpose.
PM-4Plan of Action and Milestones ProcessPMDrives systematic identification, documentation, and closure of incorrect critical-resource permission assignments through tracked milestones.
PM-7Enterprise ArchitecturePMArchitecture standards define default and required permission models for critical resources, mitigating incorrect permission assignments.
PM-8Critical Infrastructure PlanPMThe control requires correct permission assignments on critical resources as part of the documented CIKR security and privacy protections.
PM-9Risk Management StrategyPMStrategy requires assessment and assignment of permissions for critical resources, reducing incorrect default or inherited permissions.
CM-3Configuration Change ControlCMControls changes to critical resources, helping maintain correct permission assignments and preventing insecure modifications.
CM-4Impact AnalysesCMChanges to permissions on critical resources are assessed to prevent incorrect assignments.
CM-5Access Restrictions for ChangeCMDefining and enforcing access restrictions ensures correct permission assignments on resources that support changes.
CM-6Configuration SettingsCMDocumenting and enforcing configuration settings ensures correct permission assignments for critical resources.
CM-7Least FunctionalityCMConfiguring systems to provide only required functionality avoids incorrect permission assignments on unneeded resources, ports, or services.
CM-9Configuration Management PlanCMPlaces configuration items under formal management, enforcing correct permission assignments on critical resources.
SA-18Tamper Resistance and DetectionSACorrect and hardened permission assignments on critical resources are a primary means of achieving tamper resistance at the system level.
SA-3System Development Life CycleSADocumented roles, responsibilities, and continuous risk management in the SDLC ensure that default and runtime permissions for critical resources are deliberately assigned and reviewed.
SA-5System DocumentationSADocumentation covering secure installation and permission settings reduces incorrect permission assignments on critical resources.
SA-7User-installed SoftwareSARequires correct permission assignments on system resources and install mechanisms to block user installs.
SA-8Security and Privacy Engineering PrinciplesSAPermission-assignment and least-privilege principles prevent incorrect critical-resource permissions.
PE-17Alternate Work SitePEThe requirement to employ and assess controls at alternate sites includes ensuring correct permission assignments for critical resources that could otherwise be misconfigured in remote environments.
PE-3Physical Access ControlPEMandates securing keys/combinations, periodic inventory, and rotation on compromise or personnel changes to correct improper physical permission assignments.
PE-7Visitor ControlPEPrevents default or overly broad physical permissions by requiring per-visitor access decisions and time-limited credentials.
PE-9Power Equipment and CablingPEEnsures that a critical resource (power delivery) receives appropriate physical permission assignments and safeguards instead of default or inadequate protection.
RA-1Policy and ProceduresRARisk assessment procedures include review of permission assignments on critical resources, directly lowering the chance of persistent incorrect assignments.
RA-2Security CategorizationRASecurity category directly informs the required permission settings for critical resources before authorization occurs.
RA-3Risk AssessmentRAAssessment of system vulnerabilities includes permission and privilege misconfigurations that enable unauthorized resource access.
RA-5Vulnerability Monitoring and ScanningRAPermission and ACL misconfigurations on critical resources are standard findings in automated scans.
RA-7Risk ResponseRAIncorrect permission assignments on critical resources are typical audit findings; responding to them per risk tolerance removes the excessive privileges that enable exploitation.
RA-9Criticality AnalysisRAThe analysis directly locates critical resources so that permission assignments can be made correctly rather than left incorrect or default.
AC-1Policy and ProceduresACProcedures support proper permission assignment for critical resources through documented controls.
AC-16Security and Privacy AttributesACAttribute management for resources provides a mechanism to assign and maintain correct permissions based on security labels.
AC-6Least PrivilegeACPrevents overly permissive assignments to critical resources by limiting to task needs.
CP-10System Recovery and ReconstitutionCPReconstitution corrects improper permission assignments on critical resources.
CP-6Alternate Storage SiteCPRequiring equivalent controls prevents incorrect permission assignments on critical backup resources at the alternate site.
CP-9System BackupCPProtecting backup availability and integrity requires correct permission assignments on critical backup resources.
PS-5Personnel TransferPSDrives correction of permission assignments on critical resources when individuals move to new positions with different needs.
PS-8Personnel SanctionsPSSanctions discourage incorrect permission assignments on critical resources when such actions violate security policy.
PS-9Position DescriptionsPSSecurity responsibilities documented in job descriptions guide correct initial and ongoing permission assignments for critical resources.
AT-1Policy and ProceduresATTraining policy covers correct permission assignment, reducing the ability to exploit incorrect permission assignments for critical resources.
AT-3Role-based TrainingATTraining on permission management reduces incorrect permission assignments for critical resources.
CA-2Control AssessmentsCAAssessments review permission assignments on critical resources to confirm correctness, mitigating exploitation via incorrect permissions.
CA-4Security CertificationCACertification includes checking that permissions on critical resources are correctly assigned.
PL-11Baseline TailoringPLTailoring actions include assigning or restricting permissions on critical resources to the minimum necessary for the system's purpose and threat environment.
PL-9Central ManagementPLCentral management of critical-resource permissions ensures uniform, least-privilege assignments rather than per-system manual settings that frequently drift.
AU-9Protection of Audit InformationAUAudit logs and logging tools are critical resources whose protection requires correct permission assignments to block unauthorized actions.
MP-2Media AccessMPRestricting media access ensures correct permission assignments for this critical resource.
SI-1Policy and ProceduresSIProcedures require correct default and assigned permissions on critical resources, tangibly lowering the chance of overly permissive settings.
SR-9Tamper Resistance and DetectionSRProvides detection and resistance layers that reduce exploitability of incorrect critical-resource permissions.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2022-22960 KEV7.97.80.72662022-04-13
CVE-2011-39237.49.80.91052019-11-01
CVE-2018-153797.39.80.89462018-10-05
CVE-2021-445217.39.10.91012022-02-11
CVE-2019-15752 KEV6.57.80.49322019-08-28
CVE-2020-06686.47.80.80892020-02-11
CVE-2018-122965.97.50.73132019-05-13
CVE-2018-149165.99.10.67932019-06-28
CVE-2018-10002265.69.80.60012018-08-20
CVE-2012-100305.69.80.60982025-08-05
CVE-2021-373045.37.50.63532023-02-03
CVE-2021-373054.97.50.56832023-02-03
CVE-2017-94624.78.80.48702017-06-06
CVE-2018-102854.49.80.41142018-04-22
CVE-2020-111074.18.80.38912020-04-02
CVE-2017-201984.00.00.66762025-07-23
CVE-2018-40723.98.80.36262019-05-06
CVE-2018-40733.98.80.36262019-05-06
CVE-2023-502923.97.50.40122024-02-09
CVE-2017-61043.87.50.38602017-03-02
CVE-2017-52603.88.80.33392017-12-20
CVE-2021-23874 KEV3.78.20.00852021-02-10
CVE-2017-30063.28.80.24112017-04-12
CVE-2018-13374 KEV3.14.30.03782019-01-22
CVE-2017-178672.98.80.19812018-01-04