Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:

Your data will stay confidential Private and Confidential

Lack of Administrator Control over Security [CWE-671]

Lack of Administrator Control over Security weakness describes a case where implemented security features do not grant administrators full control over product security.

Lack of Administrator Control over Security [CWE-671]

Created: February 28, 2014
Latest Update: December 28, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Affected software
  4. Severity and CVSS Scoring
  5. Mitigations
  6. References

Want to have an in-depth understanding of all modern aspects of
Lack of Administrator Control over Security [CWE-671]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

This weakness describes a situation where implemented security features prevent product’s administrators from changing security settings to reflect the environment. As a result, the product’s administrator is unable to perform desired actions beyond the implied bounds. This weakness can be introduced during design or implementation stages of product’s development process.

An example of this issue are hard-coded administrator’s credentials or hidden accounts. The product administrator is unable to change password or see a hidden account and therefore cannot prevent unauthorized access to the product. This exposes the product to outside threads, including developer of the product.

This weakness is usually spotted in firmware and software intended for multilevel access privileges. Exploitation of this weakness may result in complete control over the affected product but can require certain level of privileges within the application or a particular environment.

2. Potential impact

An attacker can leverage lack of administrative control to conceal presence of unwanted product’s features or other functionalities and e.g. place a backdoor, hidden administrative account, etc.

How to Detect Lack of Administrator Control over Security Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Affected software

Software that uses different security roles or contains security features can be affected by this weakness.

4. Severity and CVSS Scoring

This weakness is usually called a backdoor and is scored with the highest severity rating. Existence of hardcoded or hidden administrative account should be scored as:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) – Critical severity.

We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

5. Mitigations

There is no general recommendations to mitigate this weakness. Existence of backdoor within an application requires immediate attention of security personnel. The following measures are recommended depending on type of possible threat and consequences of unauthorized access:

  1. Implement access restriction policies. If the product has access to untrusted networks use proper ACLs based on IP addresses, protocols, etc,
  2. Disconnect it immediately if product is a part of critical infrastructure,
  3. Monitor network connectivity to ensure no confidential information has been leaked and record all attempts to gain unauthorized access.
  4. 6. References

    1. CWE-671: Lack of Administrator Control over Security []

    Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

    ↑ Back to Top
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential