CWE-732: Incorrect Permission Assignment for Critical Resource — known CVE vulnerabilities
CVEs classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-9508: Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be…
CVE-2025-14988: A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may…
CVE-2025-69426: The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account…
CVE-2025-12004: Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows…
CVE-2014-125121: Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused…
CVE-2025-46093 — CVSS 9.9 (critical): LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as…
CVE-2025-0066 — CVSS 9.9 (critical): Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access…
CVE-2024-5618 — CVSS 9.9 (critical): Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing…
CVE-2023-40622 — CVSS 9.9 (critical): SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, under certain condition allows an…
CVE-2022-28802 — CVSS 9.9 (critical): Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other…
CVE-2021-33509 — CVSS 9.9 (critical): Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText…
CVE-2026-21902 — CVSS 9.8 (critical): An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos…
CVE-2025-8042 — CVSS 9.8 (critical): Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in…
CVE-2025-45150 — CVSS 9.8 (critical): Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via…
CVE-2025-43243 — CVSS 9.8 (critical): A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS…
CVE-2025-25373 — CVSS 9.8 (critical): The Memory Management Module of NASA cFS (Core Flight System) Aquila has insecure permissions, which can be exploited to gain an RCE on the…
CVE-2024-57520 — CVSS 9.8 (critical): Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function…
CVE-2024-41647 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute…
CVE-2024-10018 — CVSS 9.8 (critical): Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component.
CVE-2024-24117 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release (9736) allows a remote attacker to gain privileges via…
CVE-2024-6360 — CVSS 9.8 (critical): Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in…
CVE-2024-8039 — CVSS 9.8 (critical): Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account…
CVE-2024-5163 — CVSS 9.8 (critical): Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks.
CVE-2020-36770 — CVSS 9.8 (critical): pkg_postinst in the Gentoo ebuild for Slurm through 22.05.3 unnecessarily calls chown to assign root's ownership on files in the live root…
CVE-2023-46141 — CVSS 9.8 (critical): Incorrect Permission Assignment for Critical Resource vulnerability in multiple products of the PHOENIX CONTACT classic line allow an…
CVE-2023-6593 — CVSS 9.8 (critical): Client side permission bypass in Devolutions Remote Desktop Manager 2023.3.4.0 and earlier on iOS allows an attacker that has access to the…
CVE-2023-39004 — CVSS 9.8 (critical): Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2…
CVE-2023-24205 — CVSS 9.8 (critical): Clash for Windows v0.20.12 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via overwriting the…
CVE-2017-20148 — CVSS 9.8 (critical): In the ebuild package through logcheck-1.3.23.ebuild for Logcheck on Gentoo, it is possible to achieve root privilege escalation from the…
CVE-2020-27836 — CVSS 9.8 (critical): A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow…
CVE-2022-33175 — CVSS 9.8 (critical): Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 have an insecure permissions setting on the…
CVE-2021-29396 — CVSS 9.8 (critical): Systemic Insecure Permissions in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to use…
CVE-2021-22566 — CVSS 9.8 (critical): An incorrect setting of UXN bits within mmu_flags_to_s1_pte_attr lead to privileged executable pages being mapped as executable from an…
CVE-2021-41170 — CVSS 9.8 (critical): neoan3-apps/template is a neoan3 minimal template engine. Versions prior to 1.1.1 have allowed for passing in closures directly into the…
CVE-2021-41589 — CVSS 9.8 (critical): In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code…
CVE-2020-28910 — CVSS 9.8 (critical): Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of…
CVE-2020-25011 — CVSS 9.8 (critical): A sensitive information disclosure vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software…
CVE-2020-11831 — CVSS 9.8 (critical): OvoiceManager has system permission to write vulnerability reports for arbitrary files, affected product is com.oppo.ovoicemanager V2.0.1.
CVE-2020-12842 — CVSS 9.8 (critical): ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php.
CVE-2020-12839 — CVSS 9.8 (critical): ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/checkExpirationDate.php.
CVE-2020-24355 — CVSS 9.8 (critical): Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions…
CVE-2020-9671 — CVSS 9.8 (critical): Adobe Creative Cloud Desktop Application versions 5.1 and earlier have an insecure file permissions vulnerability. Successful exploitation…
CVE-2020-9024 — CVSS 9.8 (critical): Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by…
CVE-2019-8256 — CVSS 9.8 (critical): ColdFusion versions Update 6 and earlier have an insecure inherited permissions of default installation directory vulnerability. Successful…
CVE-2011-3923 — CVSS 9.8 (critical): Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary…