Privilege Escalation
Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted.
How It Works
Privilege escalation occurs when an attacker leverages flaws in access control mechanisms to gain permissions beyond what they were originally granted. The attack exploits the gap between what the system thinks a user can do and what they actually can do through manipulation or exploitation.
Vertical escalation is the classic form—a regular user obtaining administrator rights. This happens through kernel exploits that bypass OS-level security, misconfigurations in role-based access control (RBAC) that fail to enforce boundaries, or direct manipulation of authorization tokens and session data. Horizontal escalation involves accessing resources belonging to users at the same privilege level, typically through insecure direct object references (IDOR) where changing an ID in a request grants access to another user's data.
Context-dependent escalation exploits workflow logic by skipping authorization checkpoints. An attacker might access administrative URLs directly without going through proper authentication flows, manipulate parameters to bypass permission checks, or exploit REST API endpoints that don't validate method permissions—like a read-only GET permission that can be leveraged for write operations through protocol upgrades or alternative endpoints.
Impact
- Full system compromise through kernel-level exploits granting root or SYSTEM privileges
- Administrative control over applications, allowing configuration changes, user management, and deployment of malicious code
- Lateral movement across cloud infrastructure, containers, or network segments using escalated service account permissions
- Data exfiltration by accessing databases, file systems, or API endpoints restricted to higher privilege levels
- Persistence establishment through creation of backdoor accounts or modification of system configurations
Real-World Examples
Kubernetes clusters have been compromised through kubelet API misconfigurations where read-only GET permissions on worker nodes could be escalated to remote code execution. Attackers upgraded HTTP connections to WebSockets to access the /exec endpoint, gaining shell access to all pods on the node. This affected over 69 Helm charts including widely-deployed monitoring tools like Prometheus, Grafana, and Datadog agents.
Windows Print Spooler vulnerabilities (PrintNightmare class) allowed authenticated users to execute arbitrary code with SYSTEM privileges by exploiting improper privilege checks in the print service. Attackers loaded malicious DLLs through carefully crafted print jobs, escalating from low-privilege user accounts to full domain administrator access.
Cloud metadata services have been exploited where SSRF vulnerabilities combined with over-permissioned IAM roles allowed attackers to retrieve temporary credentials with elevated permissions, pivoting from compromised web applications to broader cloud infrastructure access.
Mitigation
- Enforce deny-by-default access control where permissions must be explicitly granted rather than implicitly allowed
- Implement consistent authorization checks at every layer—API gateway, application logic, and data access—never relying on client-side or single-point validation
- Apply principle of least privilege with time-limited, scope-restricted permissions and just-in-time access for administrative functions
- Audit permission inheritance and role assignments regularly to identify overly permissive configurations or privilege creep
- Separate execution contexts using containers, sandboxes, or capability-based security to limit blast radius
- Deploy runtime monitoring for unusual privilege usage patterns and anomalous access to restricted resources
Recent CVEs (13305)
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In soundtrigger, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In ril, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In Modem, there is a possible escalation of privilege due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In Modem, there is a possible out of bonds write due to a mission bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In Modem, there is a possible escalation of privilege due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In power, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In vdec, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a locally authenticated non-administrative user to escalate their privileges due to unnecessary permissions used to perform. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
The NetCloud Exchange client for Windows, version 1.110.50, contains an insecure file and folder permissions vulnerability. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
OpenVidReview 1.0 is vulnerable to Incorrect Access Control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A script injection vulnerability was identified in the Tuned package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
VMware Aria Operations contains a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
VMware Aria Operations contains a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
The AppPresser - Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Gee-netics, member of the AXIS Camera Station Pro Bug Bounty Program has found that it is possible for a non-admin user to gain system privileges by redirecting a file deletion upon service restart. Rated medium severity (CVSS 4.2). No vendor patch available.
The application Sensei Mac Cleaner contains a local privilege escalation vulnerability, allowing an attacker to perform multiple operations as the root user. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. Rated high severity (CVSS 7.0). This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the MJ_gmgt_add_staff_member() function in all versions up. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Visteon Infotainment App SoC Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Visteon Infotainment VIP MCU Code Insufficient Validation of Data Authenticity Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Panda Security Dome VPN Incorrect Permission Assignment Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Panda Security Dome VPN DLL Hijacking Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Panda Security Dome Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Panda Security Dome Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Panda Security Dome Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
F-Secure Total Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
VIPRE Advanced Security Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
VIPRE Advanced Security SBAMSvc Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
AVG AntiVirus Free AVGSvc Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
AVG AntiVirus Free AVGSvc Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
G DATA Total Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Wacom Center WTabletServicePro Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Malwarebytes Antimalware Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Check Point ZoneAlarm Extreme Security Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
G DATA Total Security Scan Server Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Famatech Advanced IP Scanner Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
G DATA Total Security Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
G DATA Total Security Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An issue in Owncloud android apk v.4.3.1 allows a physically proximate attacker to escalate privileges via the PassCodeViewModel class, specifically in the checkPassCodeIsValid method. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Incorrect access control in Meabilis CMS 1.0 allows attackers to access other users' address books via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
Okta Privileged Access server agent (SFTD) versions 1.82.0 to 1.84.0 are affected by a privilege escalation vulnerability when the sudo command bundles feature is enabled. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
A discrepancy between responses for valid and invalid e-mail accounts in the Forgot your Login? module of eSoft Planner 3.24.08271-USA allows attackers to enumerate valid user e-mail accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue in Audimex EE versions 15.1.20 and earlier allowing a remote attacker to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Privilege Management vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Privilege Escalation.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Privilege Management vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Privilege Escalation.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Privilege Assignment vulnerability in userplus UserPlus userplus allows Privilege Escalation.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows Privilege Escalation.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw was found in Moodle. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
AVSCMS v8.2.0 was discovered to contain weak default credentials for the Administrator account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect access control in QuickHeal Antivirus Pro 24.1.0.182 and earlier allows authenticated attackers with low-level privileges to arbitrarily modify antivirus settings. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue in the wssrvc.exe service of QuickHeal Antivirus Pro Version v24.0 and Quick Heal Total Security v24.0 allows authenticated attackers to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In RSA NetWitness (NW) Platform before 12.5.1, even when an administrator revokes the access of a specific user with an active session, an internal threat actor could impersonate the revoked user and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Execution with Unnecessary Privileges, : Improper Protection of Alternate Path vulnerability in TR7 Application Security Platform (ASP) allows Privilege Escalation, -Privilege Abuse.4.25.188. Rated high severity (CVSS 8.7). No vendor patch available.
An issue was discovered in LemonLDAP::NG before 2.20.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Delinea Privilege Manager before 12.0.2 mishandles the security of the Windows agent. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. No vendor patch available.
The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A maliciously crafted DLL file when placed in temporary files and folders that are leveraged by the Autodesk Installer could lead to escalation of privileges to NT AUTHORITY/SYSTEM due to insecure. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A security vulnerability has been identified in HPE Cray Data Virtualization Service (DVS). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A security vulnerability has been identified in HPE Data Management Framework (DMF) Suite (CXFS). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Trial installer for McAfee Total Protection (legacy trial installer software) 16.0.53 allows local privilege escalation because of an Uncontrolled Search Path Element. Rated medium severity (CVSS 6.7). No vendor patch available.
By default, dedicated folders of ZONEPOINT for Windows up to 2024.1 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Rated high severity (CVSS 7.8), this vulnerability is no authentication required. No vendor patch available.
By default, dedicated folders of ZONECENTRAL for Windows up to 2024.3 or up to Q.2021.2 (ANSSI qualification submission) can be accessed by other users to misuse technical files and make them perform. Rated high severity (CVSS 7.8), this vulnerability is no authentication required. No vendor patch available.
By default, dedicated folders of CRYHOD for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Rated high severity (CVSS 7.8), this vulnerability is no authentication required. No vendor patch available.
By default, dedicated folders of ORIZON for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Rated high severity (CVSS 7.8), this vulnerability is no authentication required. No vendor patch available.
By default, dedicated folders of ZEDMAIL for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Rated high severity (CVSS 7.8), this vulnerability is no authentication required. No vendor patch available.
Nextcloud Server is a self hosted personal cloud system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Quick Facts
- Typical Severity
- HIGH
- Category
- auth
- Total CVEs
- 13305