Cyber Resilience

CWE · MITRE source

CWE-653Improper Isolation or Compartmentalization

Abstraction: Class · CVEs in our corpus: 65

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 13 mapping(s) from 7 framework(s): ATT&CK 6 (mostly) · STIG rhel 9 2 (mostly) · OWASP-Web 1 (full) · STIG oracle linux 9 1 (mostly) · STIG windows 10 1 (partial) · STIG windows 11 1 (partial) · STIG windows server 2016 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A06:2025 Insecure Design.

NIST 800-53 r5 controls that address this weakness (26)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-2Separation of System and User FunctionalitySCDirectly requires isolation/compartmentalization of user services from system management functions.
SC-3Security Function IsolationSCThe control directly supplies the compartmentalization that CWE-653 requires between security and non-security domains.
SC-32System PartitioningSCDirectly implements isolation and compartmentalization by placing components into separate domains or environments.
SA-14Criticality AnalysisSACriticality analysis informs isolation and compartmentalization decisions for high-value components, reducing the attack surface that an adversary can reach after an initial compromise.
SA-17Developer Security and Privacy Architecture and DesignSARequires the architecture to show how functions work together as a unified protection approach, reducing improper isolation or compartmentalization.
SA-18Tamper Resistance and DetectionSAIsolation and compartmentalization techniques are core to tamper resistance, limiting an attacker's ability to reach or alter protected components.
PM-19Privacy Program Leadership RolePMOrganization-wide privacy program leadership ensures proper isolation and compartmentalization of personal data.
PM-24Data Integrity BoardPMOversight ensures data-matching activities maintain required isolation between distinct data sets and authorized user communities.
PM-32PurposingPMVerifies that mission-essential functions remain isolated and not repurposed across compartment boundaries.
AC-20Use of External SystemsACDefines isolation boundaries by specifying which external systems may access or process organization data.
AC-4Information Flow EnforcementACMaintains isolation and compartmentalization by restricting flows between security domains or levels.
PL-7Concept of OperationsPLThe CONOPS must articulate isolation and compartmentalization expectations for security and privacy, making architectural failures in separation of duties or domains harder to overlook.
PL-8Security and Privacy ArchitecturesPLSecurity architectures commonly incorporate isolation and compartmentalization strategies to limit the impact of compromises.
CA-9Internal System ConnectionsCAReviewing the continued need for connections supports isolation and compartmentalization.
PE-23Facility LocationPELocating systems away from hazards improves isolation and compartmentalization from external physical or environmental threats.
Show 11 more broadly-applicable controls
SC-36Distributed Processing and StorageSCExplicitly distributes components to achieve compartmentalization, making it harder to exploit weak isolation boundaries between processing or storage elements.
SC-39Process IsolationSCThe control is a direct realization of proper isolation and compartmentalization, eliminating the weakness of shared execution domains.
SC-46Cross Domain Policy EnforcementSCPolicy enforcement between domains strengthens isolation and compartmentalization, reducing the ability to exploit weak separation of security contexts.
SC-47Alternate Communications PathsSCProviding a distinct alternate path directly implements compartmentalization of critical command-and-control communications.
SC-49Hardware-enforced Separation and Policy EnforcementSCThe control explicitly provides hardware-backed isolation and compartmentalization between domains or components.
SC-50Software-enforced Separation and Policy EnforcementSCExplicitly requires isolation and compartmentalization mechanisms that address failures in separating security domains.
SA-23SpecializationSADedicated specialized components isolate mission-essential services from general-purpose systems, strengthening compartmentalization.
SA-24Design For Cyber ResiliencySACommon cyber resiliency techniques include compartmentalization and isolation to limit blast radius, directly addressing improper isolation.
SA-8Security and Privacy Engineering PrinciplesSASeparation-of-privilege and least-common-mechanism principles enforce proper isolation.
PM-7Enterprise ArchitecturePMArchitecture explicitly designs isolation, segmentation, and compartmentalization (e.g., networks, data flows), preventing improper isolation weaknesses.
SI-22Information DiversitySIImplements compartmentalization across independent information sources so that compromise of one does not disable essential operations.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-21590 KEV10.04.40.01662025-03-12
CVE-2025-19748.09.80.99102025-03-25
CVE-2024-337687.09.80.00852024-05-01
CVE-2025-4083 UPD7.09.10.00382025-04-29
CVE-2026-4692 UPD7.010.00.00492026-03-24
CVE-2026-24781 UPD7.09.80.01152026-05-04
CVE-2026-26332 UPD7.09.80.00712026-05-04
CVE-2026-26956 UPD7.09.80.00922026-05-04
CVE-2026-8401 UPD7.09.80.00312026-05-12
CVE-2026-43997 UPD7.010.00.00982026-05-13
CVE-2026-44005 UPD7.010.00.00842026-05-13
CVE-2026-44009 UPD7.09.80.00812026-05-13
CVE-2026-12295 UPD7.09.60.00392026-06-16
CVE-2026-12297 UPD7.09.60.00392026-06-16
CVE-2025-577386.07.20.23112025-10-20
CVE-2023-13055.58.10.00782023-03-21
CVE-2024-23682 UPD5.58.20.00352024-01-19
CVE-2024-23683 UPD5.58.20.00362024-01-19
CVE-2024-475205.57.60.00402025-01-10
CVE-2024-01355.57.60.01092025-01-28
CVE-2024-01365.57.60.00662025-01-28
CVE-2025-30865.57.10.00372025-04-04
CVE-2025-5476 UPD5.58.80.00312025-06-21
CVE-2025-41688 UPD5.57.20.00642025-07-31
CVE-2025-20109 UPD5.57.80.00132025-08-12