Base weakness

Draft

CWE-250: Execution with Unnecessary Privileges

Also known as: Excessive Agency

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Last updated May 1, 2026

298

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Medium

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-250 (Execution with Unnecessary Privileges) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This code temporarily raises the program's privileges to allow creation of a new user folder.

Vulnerable example

python

def makeNewUserDir(username):

While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.

The following code calls chroot() to restrict the application to a subset of the filesystem below APP_HOME in order to prevent an attacker from using the program to gain unauthorized access to files located elsewhere. The code then opens a file specified by the user and processes the contents of the file.

Vulnerable example

chroot(APP_HOME);

Constraining the process inside the application's home directory before opening any files is a valuable security measure. However, the absence of a call to setuid() with some non-zero value means the application is continuing to operate with unnecessary root privileges. Any successful exploit carried out by an attacker against the application can now result in a privilege escalation attack because any malicious operations will be performed with the privileges of the superuser. If the application drops to the privilege level of a non-root user, the potential for damage is substantially reduced.

This application intends to use a user's location to determine the timezone the user is in:

Vulnerable example

java

locationClient = new LocationClient(this, this, this);

This is unnecessary use of the location API, as this information is already available using the Android Time API. Always be sure there is not another way to obtain needed information before resorting to using the location API.

CWE-250: Execution with Unnecessary Privileges (Excessive Agency)

CWE-250: Execution with Unnecessary Privileges

Overview

CWE-250: Execution with Unnecessary Privileges

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Manual Analysis

Black Box

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-250?

What CVEs are caused by CWE-250?

How do you prevent CWE-250?

How is CWE-250 detected?

What are the consequences of CWE-250?

Is CWE-250 actively exploited?

References

Stay ahead of CWE-250

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Automated Static Analysis

Architecture or Design Review

Overview

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Manual Analysis

Black Box

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-250?

What CVEs are caused by CWE-250?

How do you prevent CWE-250?

How is CWE-250 detected?

What are the consequences of CWE-250?

Is CWE-250 actively exploited?

References

Stay ahead of CWE-250

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Automated Static Analysis

Architecture or Design Review