CWE-273: Improper Check for Dropped Privileges
The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
Last updated
Overview
If the drop fails, the product will continue to run with the raised privileges, which might provide additional access to unprivileged users.
Background
In Windows based environments that have access control, impersonation is used so that access checks can be performed on a client identity by a server with higher privileges. By impersonating the client, the server is restricted to client-level security -- although in different threads it may have much higher privileges.
Real-world CVEs
21 recorded CVEs are caused by CWE-273 (Improper Check for Dropped Privileges), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 3 new CWE-273 CVEs have been recorded so far in 2026 (2 in 2025).
- CVE-2024-38813CISA KEV
Privilege escalation vulnerability
Critical · CVSS 9.0 · EPSS 97th2024-09-17 - CVE-2023-34844Critical · CVSS 9.8 · EPSS 57th2023-06-29
- CVE-2021-36372Critical · CVSS 9.8 · EPSS 82th2021-11-19
- CVE-2026-32107
xrdp: Fail-open privilege drop in sesexec — child processes may execute as root if setuid fails
High · CVSS 8.8 · EPSS 5th2026-04-17 - CVE-2024-8382High · CVSS 8.8 · EPSS 43th2024-09-03
- CVE-2026-60085
PraisonAI before 4.6.78 Unenforced Security Policy in Subprocess Sandbox
High · CVSS 8.7 · EPSS 15th2026-07-15 - CVE-2025-27396High · CVSS 8.7 · EPSS 33th2025-03-11
- CVE-2025-1003
HP Anyware Agent for Linux – Potential Authentication Bypass
High · CVSS 8.5 · EPSS 15th2025-02-03 - CVE-2023-34322
top-level shadow reference dropped too early for 64-bit PV guests
High · CVSS 7.8 · EPSS 14th2024-01-05 - CVE-2023-35692High · CVSS 7.8 · EPSS 0th2023-07-14
- CVE-2022-0358High · CVSS 7.8 · EPSS 25th2022-08-29
- CVE-2019-18276High · CVSS 7.8 · EPSS 84th2019-11-28
Showing 12 of 21 recorded CWE-273 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-273 vulnerabilitiesCommon consequences
What can happen when CWE-273 is exploited.
Gain Privileges or Assume Identity
Affects: Access Control
If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.
Gain Privileges or Assume Identity, Hide Activities
Affects: Access Control, Non-Repudiation
If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-273, grouped by where in the lifecycle they apply.
Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Check the results of all functions that return a value and verify that the value is expected.
Effectiveness: High — Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment.
In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code attempts to take on the privileges of a user before creating a file, thus avoiding performing the action with unnecessarily high privileges:
Vulnerable example
bool DoSecureStuff(HANDLE hPipe) {The call to ImpersonateNamedPipeClient may fail, but the return value is not checked. If the call fails, the code may execute with higher privileges than intended. In this case, an attacker could exploit this behavior to write a file to a location that the attacker does not have access to.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2006-4447 — Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.
- CVE-2006-2916 — Program does not check return value when invoking functions to drop privileges, which could leave users with higher privileges than expected by forcing those functions to fail.
Terminology & mappings
Mapped taxonomies
- CLASP: Failure to check whether privileges were dropped successfully
- CERT C Secure Coding: Ensure that privilege relinquishment is successful (POS37-C) — Exact fit
- Software Fault Patterns: Unchecked Status Condition (SFP4)
Frequently asked questions
Common questions about CWE-273.
- What is CWE-273?
- The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
- What CVEs are caused by CWE-273?
- 21 recorded CVEs are attributed to CWE-273, including CVE-2024-38813, CVE-2023-34844, CVE-2021-36372. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-273?
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- How is CWE-273 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-273?
- Exploiting CWE-273 can lead to: Gain Privileges or Assume Identity, Hide Activities.
- Is CWE-273 actively exploited?
- Yes. 1 CWE-273 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 21 recorded CVEs.
References
- MITRE CWE definition (CWE-273) (opens in a new tab)
- CWE-273 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-273
Get alerted the moment a new CWE-273 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.