Cyber Resilience

CWE · MITRE source

CWE-269Improper Privilege Management

Abstraction: Class · CVEs in our corpus: 2,847

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 20 mapping(s) from 9 framework(s): ATT&CK 7 (mostly) · CSF 2.0 4 (mostly) · CAPEC 3 (partial) · STIG windows 10 1 (mostly) · STIG windows 11 1 (mostly) · STIG windows server 2016 1 (mostly) · STIG windows server 2019 1 (mostly) · STIG windows server 2022 1 (mostly) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A06:2025 Insecure Design.

NIST 800-53 r5 controls that address this weakness (54)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
PS-1Policy and ProceduresPSDocumented procedures for role definition, privilege assignment, and removal provide the management framework that prevents improper privilege management.
PS-2Position Risk DesignationPSPeriodic review of position risk levels forces re-evaluation of privilege assignments and prevents drift toward excessive rights for individuals.
PS-3Personnel ScreeningPSVetting individuals before privilege assignment lowers the likelihood that privileges will be given to people who will misuse them, directly mitigating improper privilege management.
PM-10Authorization ProcessPMDesignating specific roles and responsibilities for authorization and risk management directly mitigates improper privilege management across the organization.
PM-12Insider Threat ProgramPMCross-discipline incident team detects and responds to improper privilege assignments or escalations by insiders.
PM-2Information Security Program Leadership RolePMDedicated senior leadership with resources directly enables consistent organization-wide privilege management and enforcement of least privilege.
SC-2Separation of System and User FunctionalitySCThe control enforces proper privilege boundaries by ensuring user functionality cannot invoke or manage system-level privileges.
SC-27Platform-independent ApplicationsSCThe abstraction layer of platform-independent applications allows centralized privilege management inside the runtime rather than scattered OS-level calls.
SC-3Security Function IsolationSCThe control enforces separation so that privilege management decisions and operations for security functions cannot be influenced or subverted by non-security code.
AC-1Policy and ProceduresACPolicy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
AC-13Supervision and Review — Access ControlACAccess supervision ensures privileges are assigned and managed without improper escalation or retention.
AC-2Account ManagementACAssigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
CM-2Baseline ConfigurationCMBaseline configuration documents and controls privilege assignments, making improper privilege management harder to introduce or sustain.
CM-3Configuration Change ControlCMManages privileges for change control activities and provides oversight to prevent improper privilege use in configuration updates.
CM-4Impact AnalysesCMReviewing changes for security impacts prevents introduction of improper privilege assignments or escalations.
Show 39 more broadly-applicable controls
PS-4Personnel TerminationPSExplicit revocation of privileges and access rights addresses improper privilege management after employment ends.
PS-5Personnel TransferPSRequires explicit review and modification of privileges when personnel change roles, directly preventing improper ongoing privilege management.
PS-7External Personnel SecurityPSMandates documented personnel security requirements and compliance monitoring for external providers' system privileges and credentials.
PS-8Personnel SanctionsPSSanctions process enforces accountability for improper privilege assignments and management actions that breach policy.
PS-9Position DescriptionsPSDocumenting security and privacy duties per position provides the foundation for consistent and correct privilege management across the organization.
PM-29Risk Management Program Leadership RolesPMSenior risk management leadership and cross-org risk view enforce proper privilege management and prevent ad-hoc or inconsistent assignments.
PM-32PurposingPMDrives ongoing review and correction of privilege assignments that have drifted from intended operational need.
PM-7Enterprise ArchitecturePMEnterprise architecture incorporates least-privilege principles and role definitions organization-wide, addressing improper privilege management.
PM-9Risk Management StrategyPMStrategy development and consistent implementation enforce privilege management and least-privilege principles across systems.
SC-39Process IsolationSCSeparate execution domains enforce privilege boundaries so that improper privilege management within one process cannot affect others.
SC-43Usage RestrictionsSCUsage restrictions and implementation guidelines limit how privileges may be exercised with the specified components.
SC-49Hardware-enforced Separation and Policy EnforcementSCHardware policy enforcement prevents improper privilege assignment or escalation across separated execution domains.
SC-50Software-enforced Separation and Policy EnforcementSCPolicy enforcement mechanisms limit privilege escalation and improper privilege assignments across boundaries.
AC-25Reference MonitorACEnforces proper privilege management by requiring all decisions through the verified reference monitor.
AC-5Separation of DutiesACBy mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
AC-6Least PrivilegeACImplements core proper privilege management by restricting to only required rights.
CM-5Access Restrictions for ChangeCMRestricting who can perform changes helps ensure privileges are managed properly rather than assigned broadly.
CM-6Configuration SettingsCMManaging and monitoring configuration settings supports proper privilege management and avoids improper assignments.
CM-9Configuration Management PlanCMDefines roles and responsibilities to ensure proper privilege management during configuration changes.
SA-14Criticality AnalysisSABy determining which components are critical, the analysis drives proper privilege assignment and management for those components, limiting attacker escalation paths.
SA-16Developer-provided TrainingSADeveloper training on implemented privilege management controls prevents improper assignment or escalation through correct configuration and operation.
SA-7User-installed SoftwareSADirectly enforces proper management of privileges required to install software.
SA-8Security and Privacy Engineering PrinciplesSALeast-privilege and separation-of-duties principles prevent improper privilege management.
PL-11Baseline TailoringPLBaseline tailoring enforces organization-specific privilege-management decisions rather than accepting generic high-water-mark settings.
PL-7Concept of OperationsPLThe documented concept of operations forces organizations to specify how privileges will be assigned, used, and reviewed, directly limiting improper privilege management in day-to-day operations.
PL-9Central ManagementPLCentralized privilege assignment and oversight prevent ad-hoc or excessive privilege grants that occur when each system is configured independently.
AT-1Policy and ProceduresATPolicy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
AT-3Role-based TrainingATTraining covers proper privilege management practices, making incorrect privilege assignments less likely.
CA-4Security CertificationCAThe control mandates review of privilege assignments to ensure they are appropriate and minimal.
CA-9Internal System ConnectionsCATerminating and reviewing connections manages privileges associated with internal interfaces.
MA-5Maintenance PersonnelMAManages privileges by authorizing only approved personnel and supervising those lacking required authorizations for maintenance.
MA-7Field MaintenanceMAMaintenance typically requires elevated privileges; limiting field maintenance helps enforce proper privilege management.
PE-1Policy and ProceduresPEDesignates roles and review processes for managing physical privileges and access rights.
PE-16Delivery and RemovalPEManages physical access privileges by restricting who can deliver or remove system components.
RA-1Policy and ProceduresRAPeriodic policy-driven reviews of privileges and roles make improper privilege management more likely to be detected and corrected.
RA-10Threat HuntingRAPrivilege abuse or escalation attempts are detectable via indicators that threat hunting is designed to surface.
AU-6Audit Record Review, Analysis, and ReportingAUReview helps detect improper privilege management by flagging unauthorized privilege changes or uses.
CP-10System Recovery and ReconstitutionCPRecovery ensures return to a state with correctly assigned and managed privileges.
SI-1Policy and ProceduresSIPolicy mandates proper privilege assignment and review processes, making improper privilege management harder to overlook or sustain.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2002-0367 KEV10.07.80.05192002-06-25
CVE-2013-0643 KEV10.08.80.10532013-02-27
CVE-2016-0151 KEV10.07.80.63202016-04-12
CVE-2017-5689 KEV10.09.80.92192017-05-02
CVE-2019-1215 KEV10.07.80.19252019-09-11
CVE-2019-1388 KEV10.07.80.08592019-11-12
CVE-2019-1405 KEV10.07.80.29952019-11-12
CVE-2020-8655 KEV10.07.80.58082020-02-07
CVE-2020-3950 KEV10.07.80.07252020-03-17
CVE-2021-23874 KEV10.08.20.01032021-02-10
CVE-2021-25337 KEV10.04.40.02832021-03-04
CVE-2021-20021 KEV10.09.80.83432021-04-09
CVE-2023-28434 KEV10.08.80.06742023-03-22
CVE-2023-35674 KEV10.07.80.02202023-09-11
CVE-2024-26169 KEV UPD10.07.80.04012024-03-12
CVE-2024-38014 KEV10.07.80.06012024-09-10
CVE-2024-8068 KEV10.08.00.01402024-11-12
CVE-2024-49035 KEV10.08.70.01342024-11-26
CVE-2026-21533 KEV10.07.80.03852026-02-10
CVE-2014-15108.09.80.82342014-03-19
CVE-2014-15118.09.80.83632014-03-19
CVE-2017-114678.09.80.73072017-07-20
CVE-2017-126358.09.80.99842017-11-14
CVE-2017-52548.08.80.53702017-12-20
CVE-2020-32438.09.80.88372020-04-15