Class weakness

Draft

CWE-653: Improper Isolation or Compartmentalization

Also known as: Separation of Privilege

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

Last updated May 1, 2026

50

Recorded CVEs

With this primary weakness

1

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.

Real-world CVEs

50 recorded CVEs are caused by CWE-653 (Improper Isolation or Compartmentalization), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 11 new CWE-653 CVEs have been recorded so far in 2026 (26 in 2025).

Critical · CVSS 9.8 · EPSS 42th

2024-05-01

CVE-2026-0542

Remote Code Execution in ServiceNow AI Platform

Critical · CVSS 9.2 · EPSS 57th

2026-02-25

CVE-2025-4083

Process isolation bypass using "javascript:" URI links in cross-origin frames

Critical · CVSS 9.1 · EPSS 45th

2025-04-29

CVE-2025-34201

Vasion Print (formerly PrinterLogic) Lack of Network Segmentation Between Docker Instances

High · CVSS 8.5 · EPSS 22th

2025-09-19

CVE-2024-23683

Artemis Java Test Sandbox InvocationTargetException Subclass Escape

High · CVSS 8.2 · EPSS 39th

2024-01-19

CVE-2025-12805

Llama-stack-k8s-operator: llama stack service exposed across namespaces due to missing networkpolicy

High · CVSS 8.1 · EPSS 4th

2026-03-26

CVE-2023-1305

High · CVSS 8.1 · EPSS 56th

2023-03-21

CVE-2025-20109

High · CVSS 7.8 · EPSS 22th

2025-08-12

CVE-2024-0136

High · CVSS 7.6 · EPSS 27th

2025-01-28

CVE-2024-0135

High · CVSS 7.6 · EPSS 27th

2025-01-28

Showing 12 of 50 recorded CWE-653 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-653 vulnerabilities

Common consequences

What can happen when CWE-653 is exploited.

Gain Privileges or Assume Identity, Bypass Protection Mechanism

Affects: Access Control

The exploitation of a weakness in low-privileged areas of the software can be leveraged to reach higher-privileged areas without having to overcome any additional obstacles.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

How to prevent it

Practical mitigations for CWE-653, grouped by where in the lifecycle they apply.

Architecture and Design

Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them.

How to detect it

Automated Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Effectiveness: SOAR Partial

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Effectiveness: High

Architecture or Design Review

According to SOAR, the following detection techniques may be useful:

Effectiveness: High

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Single sign-on technology is intended to make it easier for users to access multiple resources or domains without having to authenticate each time. While this is highly convenient for the user and attempts to address problems with psychological acceptability, it also means that a compromise of a user's credentials can provide immediate access to all other resources or domains.

The traditional UNIX privilege model provides root with arbitrary access to all resources, but root is frequently the only user that has privileges. As a result, administrative tasks require root privileges, even if those tasks are limited to a small area, such as updating user manpages. Some UNIX flavors have a "bin" user that is the owner of system executables, but since root relies on executables owned by bin, a compromise of the bin account can be leveraged for root privileges by modifying a bin-owned executable, such as CVE-2007-4238.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2021-33096 — Improper isolation of shared resource in a network-on-chip leads to denial of service
CVE-2019-6260 — Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138].

Terminology & mappings

Alternate terms

Separation of Privilege: Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. This node conflicts with the original definition of "Separation of Privilege" by Saltzer and Schroeder; that original definition is more closely associated with CWE-654. Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged.

Frequently asked questions

Common questions about CWE-653.

What is CWE-653?

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

What CVEs are caused by CWE-653?

50 recorded CVEs are attributed to CWE-653, including CVE-2025-21590, CVE-2025-1974, CVE-2024-33768. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-653?

Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them.

How is CWE-653 detected?

Automated Static Analysis - Binary or Bytecode: According to SOAR, the following detection techniques may be useful:

What are the consequences of CWE-653?

Exploiting CWE-653 can lead to: Gain Privileges or Assume Identity, Bypass Protection Mechanism.

Is CWE-653 actively exploited?

Yes. 1 CWE-653 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 50 recorded CVEs.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-653

Get alerted the moment a new CWE-653 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Source Code

Architecture or Design Review

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-653?

What CVEs are caused by CWE-653?

How do you prevent CWE-653?

How is CWE-653 detected?

What are the consequences of CWE-653?

Is CWE-653 actively exploited?

References

Stay ahead of CWE-653