CWE · MITRE source
CWE-276Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 12 mapping(s) from 6 framework(s): ATT&CK 4 (partial) · STIG windows server 2016 2 (mostly) · STIG windows server 2019 2 (mostly) · STIG windows server 2022 2 (mostly) · CAPEC 1 (partial) · OWASP-Web 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (11)AI
Showing the 10 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CM-1 | Policy and Procedures | CM | Establishes requirements for appropriate default permissions on system resources as part of configuration management. |
CM-2 | Baseline Configuration | CM | Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones. |
CM-6 | Configuration Settings | CM | Requiring the most restrictive settings instead of defaults prevents incorrect default permissions on resources. |
AC-1 | Policy and Procedures | AC | Access control policy can specify and enforce secure default permissions for resources. |
AC-6 | Least Privilege | AC | Guides setting of default permissions to the minimum required level. |
PL-11 | Baseline Tailoring | PL | Tailoring explicitly overrides or scopes default permission assignments in the baseline to match the system's actual risk and operational needs. |
PL-9 | Central Management | PL | A central authority can define and push correct default permissions, eliminating the common practice of leaving insecure defaults on individual hosts. |
SA-16 | Developer-provided Training | SA | Training covers proper setting of permissions on resources, reducing incorrect default or inherited permissions after deployment. |
SA-5 | System Documentation | SA | Administrator documentation on secure configuration and default settings prevents incorrect default permissions from remaining in place. |
PE-1 | Policy and Procedures | PE | Requires addressing secure default permissions in physical and environmental protection controls. |
Show 1 more broadly-applicable controls
CM-9 | Configuration Management Plan | CM | Requires documented processes that include setting and maintaining correct default permissions for configuration items. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2013-0632 KEV | 10.0 | 9.8 | 0.9369 | 2013-01-17 |
CVE-2022-22948 KEV | 10.0 | 6.5 | 0.1394 | 2022-03-29 |
CVE-2017-11610 | 8.0 | 8.8 | 0.8754 | 2017-08-23 |
CVE-2023-29919 | 8.0 | 9.1 | 0.6022 | 2023-05-23 |
CVE-1999-0426 | 7.0 | 9.8 | 0.1056 | 1999-03-01 |
CVE-2017-5642 | 7.0 | 9.8 | 0.0189 | 2017-04-03 |
CVE-2017-0847 | 7.0 | 9.8 | 0.0043 | 2017-11-16 |
CVE-2017-16127 | 7.0 | 9.8 | 0.0146 | 2018-06-07 |
CVE-2017-16128 | 7.0 | 9.8 | 0.0146 | 2018-06-07 |
CVE-2019-12450 | 7.0 | 9.8 | 0.0260 | 2019-05-29 |
CVE-2019-17124 | 7.0 | 9.8 | 0.2312 | 2019-10-09 |
CVE-2019-17383 | 7.0 | 9.8 | 0.0229 | 2019-10-09 |
CVE-2019-19392 | 7.0 | 9.8 | 0.0139 | 2020-01-21 |
CVE-2019-19896 | 7.0 | 9.9 | 0.0303 | 2020-01-23 |
CVE-2020-8114 | 7.0 | 9.8 | 0.0138 | 2020-02-05 |
CVE-2020-9039 | 7.0 | 9.8 | 0.0384 | 2020-02-22 |
CVE-2019-20536 | 7.0 | 9.8 | 0.0043 | 2020-03-24 |
CVE-2020-12834 | 7.0 | 9.8 | 0.1107 | 2020-05-15 |
CVE-2020-9409 | 7.0 | 9.8 | 0.0338 | 2020-05-20 |
CVE-2020-11716 | 7.0 | 9.8 | 0.0136 | 2020-05-20 |
CVE-2020-6469 | 7.0 | 9.6 | 0.0116 | 2020-05-21 |
CVE-2020-6471 | 7.0 | 9.6 | 0.0140 | 2020-05-21 |
CVE-2017-18915 | 7.0 | 9.8 | 0.0118 | 2020-06-19 |
CVE-2020-10279 | 7.0 | 9.8 | 0.0097 | 2020-06-24 |
CVE-2020-29491 | 7.0 | 10.0 | 0.0185 | 2021-01-04 |