CWE · MITRE source
CWE-653Improper Isolation or Compartmentalization
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 13 mapping(s) from 7 framework(s): ATT&CK 6 (mostly) · STIG rhel 9 2 (mostly) · OWASP-Web 1 (full) · STIG oracle linux 9 1 (mostly) · STIG windows 10 1 (partial) · STIG windows 11 1 (partial) · STIG windows server 2016 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A06:2025 Insecure Design.
NIST 800-53 r5 controls that address this weakness (26)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-2 | Separation of System and User Functionality | SC | Directly requires isolation/compartmentalization of user services from system management functions. |
SC-3 | Security Function Isolation | SC | The control directly supplies the compartmentalization that CWE-653 requires between security and non-security domains. |
SC-32 | System Partitioning | SC | Directly implements isolation and compartmentalization by placing components into separate domains or environments. |
SA-14 | Criticality Analysis | SA | Criticality analysis informs isolation and compartmentalization decisions for high-value components, reducing the attack surface that an adversary can reach after an initial compromise. |
SA-17 | Developer Security and Privacy Architecture and Design | SA | Requires the architecture to show how functions work together as a unified protection approach, reducing improper isolation or compartmentalization. |
SA-18 | Tamper Resistance and Detection | SA | Isolation and compartmentalization techniques are core to tamper resistance, limiting an attacker's ability to reach or alter protected components. |
PM-19 | Privacy Program Leadership Role | PM | Organization-wide privacy program leadership ensures proper isolation and compartmentalization of personal data. |
PM-24 | Data Integrity Board | PM | Oversight ensures data-matching activities maintain required isolation between distinct data sets and authorized user communities. |
PM-32 | Purposing | PM | Verifies that mission-essential functions remain isolated and not repurposed across compartment boundaries. |
AC-20 | Use of External Systems | AC | Defines isolation boundaries by specifying which external systems may access or process organization data. |
AC-4 | Information Flow Enforcement | AC | Maintains isolation and compartmentalization by restricting flows between security domains or levels. |
PL-7 | Concept of Operations | PL | The CONOPS must articulate isolation and compartmentalization expectations for security and privacy, making architectural failures in separation of duties or domains harder to overlook. |
PL-8 | Security and Privacy Architectures | PL | Security architectures commonly incorporate isolation and compartmentalization strategies to limit the impact of compromises. |
CA-9 | Internal System Connections | CA | Reviewing the continued need for connections supports isolation and compartmentalization. |
PE-23 | Facility Location | PE | Locating systems away from hazards improves isolation and compartmentalization from external physical or environmental threats. |
Show 11 more broadly-applicable controls
SC-36 | Distributed Processing and Storage | SC | Explicitly distributes components to achieve compartmentalization, making it harder to exploit weak isolation boundaries between processing or storage elements. |
SC-39 | Process Isolation | SC | The control is a direct realization of proper isolation and compartmentalization, eliminating the weakness of shared execution domains. |
SC-46 | Cross Domain Policy Enforcement | SC | Policy enforcement between domains strengthens isolation and compartmentalization, reducing the ability to exploit weak separation of security contexts. |
SC-47 | Alternate Communications Paths | SC | Providing a distinct alternate path directly implements compartmentalization of critical command-and-control communications. |
SC-49 | Hardware-enforced Separation and Policy Enforcement | SC | The control explicitly provides hardware-backed isolation and compartmentalization between domains or components. |
SC-50 | Software-enforced Separation and Policy Enforcement | SC | Explicitly requires isolation and compartmentalization mechanisms that address failures in separating security domains. |
SA-23 | Specialization | SA | Dedicated specialized components isolate mission-essential services from general-purpose systems, strengthening compartmentalization. |
SA-24 | Design For Cyber Resiliency | SA | Common cyber resiliency techniques include compartmentalization and isolation to limit blast radius, directly addressing improper isolation. |
SA-8 | Security and Privacy Engineering Principles | SA | Separation-of-privilege and least-common-mechanism principles enforce proper isolation. |
PM-7 | Enterprise Architecture | PM | Architecture explicitly designs isolation, segmentation, and compartmentalization (e.g., networks, data flows), preventing improper isolation weaknesses. |
SI-22 | Information Diversity | SI | Implements compartmentalization across independent information sources so that compromise of one does not disable essential operations. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-21590 KEV | 10.0 | 4.4 | 0.0166 | 2025-03-12 |
CVE-2025-1974 | 8.0 | 9.8 | 0.9910 | 2025-03-25 |
CVE-2024-33768 | 7.0 | 9.8 | 0.0085 | 2024-05-01 |
CVE-2025-4083 UPD | 7.0 | 9.1 | 0.0038 | 2025-04-29 |
CVE-2026-4692 UPD | 7.0 | 10.0 | 0.0049 | 2026-03-24 |
CVE-2026-24781 UPD | 7.0 | 9.8 | 0.0115 | 2026-05-04 |
CVE-2026-26332 UPD | 7.0 | 9.8 | 0.0071 | 2026-05-04 |
CVE-2026-26956 UPD | 7.0 | 9.8 | 0.0092 | 2026-05-04 |
CVE-2026-8401 UPD | 7.0 | 9.8 | 0.0031 | 2026-05-12 |
CVE-2026-43997 UPD | 7.0 | 10.0 | 0.0098 | 2026-05-13 |
CVE-2026-44005 UPD | 7.0 | 10.0 | 0.0084 | 2026-05-13 |
CVE-2026-44009 UPD | 7.0 | 9.8 | 0.0081 | 2026-05-13 |
CVE-2026-12295 UPD | 7.0 | 9.6 | 0.0039 | 2026-06-16 |
CVE-2026-12297 UPD | 7.0 | 9.6 | 0.0039 | 2026-06-16 |
CVE-2025-57738 | 6.0 | 7.2 | 0.2311 | 2025-10-20 |
CVE-2023-1305 | 5.5 | 8.1 | 0.0078 | 2023-03-21 |
CVE-2024-23682 UPD | 5.5 | 8.2 | 0.0035 | 2024-01-19 |
CVE-2024-23683 UPD | 5.5 | 8.2 | 0.0036 | 2024-01-19 |
CVE-2024-47520 | 5.5 | 7.6 | 0.0040 | 2025-01-10 |
CVE-2024-0135 | 5.5 | 7.6 | 0.0109 | 2025-01-28 |
CVE-2024-0136 | 5.5 | 7.6 | 0.0066 | 2025-01-28 |
CVE-2025-3086 | 5.5 | 7.1 | 0.0037 | 2025-04-04 |
CVE-2025-5476 UPD | 5.5 | 8.8 | 0.0031 | 2025-06-21 |
CVE-2025-41688 UPD | 5.5 | 7.2 | 0.0064 | 2025-07-31 |
CVE-2025-20109 UPD | 5.5 | 7.8 | 0.0013 | 2025-08-12 |