Privilege Escalation
Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted.
How It Works
Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted. The attack exploits the gap between what the system thinks a user can do and what they actually can do through manipulation or exploitation.
Vertical escalation is the classic form—a regular user obtaining administrator rights. This happens through kernel exploits that bypass OS-level security, misconfigurations in role-based access control (RBAC) that fail to enforce boundaries, or direct manipulation of authorization tokens and session data. Horizontal escalation involves accessing resources belonging to users at the same privilege level, typically through insecure direct object references (IDOR) where changing an ID in a request grants access to another user's data.
Context-dependent escalation exploits workflow logic by skipping authorization checkpoints. An attacker might access administrative URLs directly without going through proper authentication flows, manipulate parameters to bypass permission checks, or exploit REST API endpoints that don't validate method permissions—like a read-only GET permission that can be leveraged for write operations through protocol upgrades or alternative endpoints.
Impact
- Full system compromise through kernel-level exploits granting root or SYSTEM privileges
- Administrative control over applications, allowing configuration changes, user management, and deployment of malicious code
- Lateral movement across cloud infrastructure, containers, or network segments using escalated service account permissions
- Data exfiltration by accessing databases, file systems, or API endpoints restricted to higher privilege levels
- Persistence establishment through creation of backdoor accounts or modification of system configurations
Real-World Examples
Kubernetes clusters have been compromised through kubelet API misconfigurations where read-only GET permissions on worker nodes could be escalated to remote code execution. Attackers upgraded HTTP connections to WebSockets to access the /exec endpoint, gaining shell access to all pods on the node. This affected over 69 Helm charts including widely-deployed monitoring tools like Prometheus, Grafana, and Datadog agents.
Windows Print Spooler vulnerabilities (PrintNightmare class) allowed authenticated users to execute arbitrary code with SYSTEM privileges by exploiting improper privilege checks in the print service. Attackers loaded malicious DLLs through carefully crafted print jobs, escalating from low-privilege user accounts to full domain administrator access.
Cloud metadata services have been exploited where SSRF vulnerabilities combined with over-permissioned IAM roles allowed attackers to retrieve temporary credentials with elevated permissions, pivoting from compromised web applications to broader cloud infrastructure access.
Mitigation
- Enforce deny-by-default access control where permissions must be explicitly granted rather than implicitly allowed
- Implement consistent authorization checks at every layer—API gateway, application logic, and data access—never relying on client-side or single-point validation
- Apply principle of least privilege with time-limited, scope-restricted permissions and just-in-time access for administrative functions
- Audit permission inheritance and role assignments regularly to identify overly permissive configurations or privilege creep
- Separate execution contexts using containers, sandboxes, or capability-based security to limit blast radius
- Deploy runtime monitoring for unusual privilege usage patterns and anomalous access to restricted resources
Recent CVEs (2402)
Active debug code for some Intel UEFI reference platforms within Ring 0: Kernel may allow a denial of service and escalation of privilege. Rated high severity (CVSS 8.3), this vulnerability is low attack complexity. No vendor patch available.
Uncontrolled search path for some Intel(R) Distribution for Python software installers before version 2025.2.0 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Out-of-bounds write for some Intel(R) QAT Windows software before version 2.6.0. Rated high severity (CVSS 7.3). No vendor patch available.
Improper neutralization for some Intel(R) Neural Compressor software before version v3.4 within Ring 3: User Applications may allow an escalation of privilege. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.
Incorrect default permissions for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Incorrect default permissions for the Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Uncontrolled search path for some Intel(R) One Boot Flash Update (Intel(R) OFU) software before version 14.1.31 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Improper link resolution before file access ('link following') for some Intel(R) Server Configuration Utility software and Intel(R) Server Firmware Update Utility software before version 16.0.12. Rated medium severity (CVSS 5.4). No vendor patch available.
Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted upload of file with dangerous type for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable. No vendor patch available.
Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.3). No vendor patch available.
Uncontrolled search path for the Intel(R) System Support Utility before version 4.1.0 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Buffer overflow for some Intel(R) QAT Windows software before version 2.6.0. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
Uncontrolled search path for some Intel(R) Killer(TM) Performance Suite software before version killer 4.0 40.25.509.1465 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Improper privilege management for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.
Improper input validation for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
External control of file name or path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.6), this vulnerability is low attack complexity. No vendor patch available.
Uncontrolled search path for some Display Virtualization for Windows OS software before version 1797 within Ring 2: Device Drivers may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Improper input validation for some Intel VTune Profiler before version 2025.1 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
Uncontrolled search path for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.
System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. No vendor patch available.
Incorrect boundary conditions in the Graphics: WebGPU component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
The VAPIX Edge storage API that allowed a privilege escalation, enabling a VAPIX administrator-privileged user to gain Linux Root privileges. Rated medium severity (CVSS 6.4). No vendor patch available.
AXIS Optimizer was vulnerable to an unquoted search path vulnerability, which could potentially lead to privilege escalation within Microsoft Windows operating system. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.
An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
The ACAP Application framework could allow privilege escalation through a symlink attack. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. Rated medium severity (CVSS 6.4). No vendor patch available.
A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
The EasyCommerce - AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Mementor Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Incus is a system container and virtual machine manager. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Inappropriate implementation in Views in Google Chrome on Windows prior to 142.0.7444.137 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and. Rated medium severity (CVSS 6.3). No vendor patch available.
An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell Display and Peripheral Manager, versions prior to 2.1.2.12, contains an Execution with Unnecessary Privileges vulnerability in the Installer. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains ReSharper, Rider and dotTrace before 2025.2.5 local privilege escalation was possible via race condition. Rated medium severity (CVSS 4.2). No vendor patch available.
In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.
An improper privilege management vulnerability was found in Looker Studio. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Db2 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) under specific configurations could allow a local user to execute malicious code that escalate their privileges. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.
The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_password() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
evernote-mcp-server openBrowser Command Injection Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A maliciously crafted file, when executed on the victim's machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Incorrect Privilege Assignment vulnerability in KingAddons.com King Addons for Elementor king-addons allows Privilege Escalation.1.36. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.2.46. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Privilege Assignment vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Privilege Escalation.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Privilege Assignment vulnerability in bPlugins Advanced scrollbar advanced-scrollbar allows Privilege Escalation.1.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. Rated high severity (CVSS 7.0). No vendor patch available.
** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user may exploit and gain parallel privilege escalation or access to the database to obtain confidential. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user with known password can run CLI Escape Vulnerability to gain control of system. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell Command Monitor (DCM), versions prior to 10.12.3.28, contains an Execution with Unnecessary Privileges vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint when the No-Auth URL feature is enabled. Unauthenticated attackers can extract this token to gain full API access, compromising AI assistant configurations and potentially accessing connected LLM provider API keys.
An issue was discovered in the GPU in Samsung Mobile Processor and Wearable Processor Exynos 1280, 2200, 1330, 1380, 1480, 2400. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In charger, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In gnss service, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In gnss service, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In apusys, there is a possible memory corruption due to use after free. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. No vendor patch available.
In pda, there is a possible escalation of privilege due to use after free. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. No vendor patch available.
In clkdbg, there is a possible escalation of privilege due to use after free. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
In preloader, there is a possible escalation of privilege due to an insecure default value. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. No vendor patch available.
In wlan STA driver, there is a possible out of bounds write due to an incorrect bounds check. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In Modem, there is a possible out of bounds write due to a heap buffer overflow. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Quick Facts
- Typical Severity
- HIGH
- Category
- auth
- Total CVEs
- 2402