Cyber Resilience

CWE · MITRE source

CWE-250Execution with Unnecessary Privileges

Abstraction: Base · CVEs in our corpus: 329

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 15 mapping(s) from 9 framework(s): ATT&CK 4 (partial) · CAPEC 3 (partial) · ASVS 5.0 2 (mostly) · CSF 2.0 1 (mostly) · STIG windows 10 1 (mostly) · STIG windows 11 1 (mostly) · STIG windows server 2016 1 (mostly) · STIG windows server 2019 1 (mostly) · STIG windows server 2022 1 (mostly)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (43)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-2Separation of System and User FunctionalitySCSeparating user-facing code from system management functions directly prevents execution of privileged operations from untrusted user contexts.
SC-25Thin NodesSCMinimal functionality inherently eliminates execution of unneeded code paths and associated privileges.
SC-27Platform-independent ApplicationsSCRuntimes for platform-independent applications commonly support configurable security managers or sandboxes that enforce least privilege by default.
PS-1Policy and ProceduresPSPersonnel security policy and procedures enforce least-privilege assignment, periodic review, and revocation on termination or role change, directly reducing unnecessary privileges.
PS-2Position Risk DesignationPSRisk designation and screening for elevated positions directly reduces the chance that unvetted personnel receive or retain unnecessary privileges.
PS-3Personnel ScreeningPSScreening supports assignment of access only to those who have been evaluated, reducing execution with unnecessary privileges by untrusted or unqualified personnel.
SA-14Criticality AnalysisSACriticality analysis identifies high-impact functions so that unnecessary privileges can be removed from them, directly reducing the exploitability of excessive-privilege weaknesses.
SA-16Developer-provided TrainingSATraining on correct operation of privilege-related security functions directly reduces unnecessary privilege execution by teaching least-privilege usage.
SA-23SpecializationSASpecialized components can be engineered and configured to execute only the minimal necessary functionality and privileges for the essential service.
AC-1Policy and ProceduresACPolicy promotes least privilege by defining necessary privileges and management commitment to them.
AC-13Supervision and Review — Access ControlACSupervision detects and allows removal of unnecessary privileges that enable execution with excess rights.
AC-2Account ManagementACReviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges.
PM-10Authorization ProcessPMIntegration of authorization into organization-wide risk management includes evaluation of privileges, making execution with unnecessary privileges less likely to be approved.
PM-12Insider Threat ProgramPMInsider threat program enforces least-privilege reviews and monitors privileged actions, directly reducing abuse of unnecessary rights.
PM-13Security and Privacy WorkforcePMWorkforce programs emphasize least-privilege principles, directly reducing unnecessary privilege assignments.
Show 28 more broadly-applicable controls
SC-3Security Function IsolationSCIsolating security functions allows them to execute with only the privileges they require while preventing non-security code from inheriting or accessing those privileges.
SC-32System PartitioningSCEnables execution with minimal necessary privileges by isolating components into distinct environments.
SC-39Process IsolationSCProcess isolation confines each process to its own execution domain, preventing one process from exercising the privileges or resources belonging to another.
SC-43Usage RestrictionsSCAuthorizing only necessary component uses reduces the chance of processes running with extraneous privileges.
SC-49Hardware-enforced Separation and Policy EnforcementSCMandatory hardware separation makes it harder to run code with unnecessary privileges by isolating privilege domains.
SC-50Software-enforced Separation and Policy EnforcementSCSeparation and policy enforcement reduce the ability to execute with unnecessary privileges by isolating higher-privilege functions.
PS-4Personnel TerminationPSDisabling access and retrieving security-related property prevents continued execution with unnecessary privileges by ex-employees.
PS-6Access AgreementsPSAccess agreements document and require acknowledgment of assigned privileges, making execution with unnecessary privileges less likely by establishing accountability and expected behavior.
PS-7External Personnel SecurityPSRequires notification of external personnel terminations and monitors revocation of credentials/privileges, directly reducing retained unnecessary access.
PS-8Personnel SanctionsPSFormal sanctions deter personnel from violating least-privilege policies by imposing consequences for unnecessary privilege use.
PS-9Position DescriptionsPSPosition descriptions that explicitly define security responsibilities directly support assignment of only the privileges needed for a role, reducing execution with unnecessary privileges.
SA-5System DocumentationSADocumentation on secure operation of privileged functions and known vulnerabilities directly reduces execution with unnecessary privileges.
SA-7User-installed SoftwareSARestricts users from obtaining or retaining unnecessary installation/execution privileges.
SA-8Security and Privacy Engineering PrinciplesSALeast-privilege engineering principle directly reduces execution with unnecessary privileges.
AC-5Separation of DutiesACSeparation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges.
AC-6Least PrivilegeACDirectly prevents execution with more privileges than needed for assigned tasks.
PM-29Risk Management Program Leadership RolesPMOrg-wide risk executive function provides accountability and oversight that directly reduces execution with unnecessary privileges through consistent identification and mitigation.
PM-32PurposingPMIdentifies privileges or capabilities that exceed what is required for the stated mission purpose, enabling removal.
CM-2Baseline ConfigurationCMBaseline review prevents systems from running with unnecessary privileges by enforcing least-privilege settings.
CM-5Access Restrictions for ChangeCMLimiting change access to only approved entities reduces the risk of unnecessary privileges being available for modifications.
CM-6Configuration SettingsCMConfiguration settings can mandate least-privilege execution, reducing unnecessary privileges.
CM-7Least FunctionalityCMProhibiting unnecessary functions, ports, protocols, software, and services directly prevents execution with privileges beyond what is required for the system's purpose.
PL-4Rules of BehaviorPLRules of behavior explicitly require users to operate with only the privileges needed for their role, directly reducing execution with unnecessary privileges.
PL-7Concept of OperationsPLCONOPS explicitly defines intended operational roles, procedures, and privilege usage, reducing the likelihood of unnecessary privileges being assigned or retained during system operation.
AT-3Role-based TrainingATRole-based training on least privilege principles reduces the chance personnel assign or retain unnecessary privileges.
AU-6Audit Record Review, Analysis, and ReportingAUAnalysis of audit records can identify execution with unnecessary privileges through unusual activity patterns.
CA-9Internal System ConnectionsCAAutomatic termination after a defined period eliminates unnecessary privileges from persistent connections.
RA-9Criticality AnalysisRAKnowing which functions and components are critical supports application of least privilege, reducing execution with unnecessary privileges.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2024-38813 KEV10.07.50.16682024-09-17
CVE-2025-40602 KEV10.06.60.01912025-12-18
CVE-2024-1222 UPD8.08.60.63982024-03-14
CVE-2021-410357.09.80.01702021-10-25
CVE-2022-15177.010.00.01632022-06-24
CVE-2022-26347.010.00.00822022-08-10
CVE-2022-445447.09.80.00762022-11-06
CVE-2023-320807.09.00.00922023-05-10
CVE-2023-46627.09.80.01192023-09-15
CVE-2023-520307.09.80.01542024-01-11
CVE-2024-25421 UPD7.09.80.01652024-03-26
CVE-2024-271437.09.80.01102024-06-14
CVE-2024-33307.09.90.00592024-06-27
CVE-2024-68347.09.00.00262024-07-17
CVE-2024-357837.09.10.00612024-09-10
CVE-2024-73877.09.10.02322024-09-17
CVE-2024-87677.09.90.00482024-09-17
CVE-2024-71027.09.60.00412025-02-13
CVE-2025-324457.09.90.00672025-04-15
CVE-2025-429587.09.10.00672025-09-09
CVE-2025-571197.09.80.00542025-09-16
CVE-2025-565577.09.10.00302025-09-16
CVE-2025-363567.09.30.00182025-10-06
CVE-2025-345157.09.80.07282025-10-16
CVE-2025-430177.09.80.00242025-10-28