BaseIncomplete

CWE-273Improper Check for Dropped Privileges

Category: authz

Description

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the product will continue to run with the raised privileges, which might provide additional access to unprivileged users.

Common consequences· 2

  • Access Control — Gain Privileges or Assume Identity
    If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.
  • Access Control / Non-Repudiation — Gain Privileges or Assume Identity, Hide Activities
    If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.

Potential mitigations· 3

  • [Architecture and Design]
  • [Implementation]Check the results of all functions that return a value and verify that the value is expected.
  • [Implementation]In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened.

References

  1. https://cwe.mitre.org/data/definitions/273.html

(incoming)4

TypeTargetConfidenceTier
VulnerabilityCVE-2025-27396cve-2025-273960%live
VulnerabilityCVE-2026-21882cve-2026-218820%live
VulnerabilityCVE-2026-32107cve-2026-321070%live
KEVEntryVMware vCenter Server Privilege Escalation Vulnerabilitykev-cve-2024-388130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Privilege Dropping / Lowering Errors
CWE
Improper Handling of Insufficient Privileges
CWE
Improper Handling of Insufficient Permissions or Privileges
CWE
Execution with Unnecessary Privileges
CWE
Improper Privilege Management
CWE
Improper Access Control
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.