Community Edition
Total Tests:
This Week:
Today:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Lack of Administrator Control over Security [CWE-671]

Lack of Administrator Control over Security weakness describes a case where implemented security features do not grant administrators full control over product security.

Lack of Administrator Control over Security [CWE-671]

Created: February 28, 2014
Latest Update: January 10, 2019

Table of Content

  1. Description
  2. Potential impact
  3. Affected software
  4. Severity and CVSS Scoring
  5. Mitigations
  6. References

1. Description

This weakness describes a situation where implemented security features prevent product’s administrators from changing security settings to reflect the environment. As a result, the product’s administrator is unable to perform desired actions beyond the implied bounds. This weakness can be introduced during design or implementation stages of product’s development process.

An example of this issue are hard-coded administrator’s credentials or hidden accounts. The product administrator is unable to change password or see a hidden account and therefore cannot prevent unauthorized access to the product. This exposes the product to outside threads, including developer of the product.

This weakness is usually spotted in firmware and software intended for multilevel access privileges. Exploitation of this weakness may result in complete control over the affected product but can require certain level of privileges within the application or a particular environment.

2. Potential impact

An attacker can leverage lack of administrative control to conceal presence of unwanted product’s features or other functionalities and e.g. place a backdoor, hidden administrative account, etc.

How to Detect Lack of Administrator Control over Security Vulnerabilities
Free Website Security Test
  • Non-intrusive GDPR Test
  • Non-intrusive PCI DSS Test
Try Free Test
ImmuniWeb® On-Demand
  • Complete GDPR Audit
  • Complete PCI DSS Audit
  • Remediation Guidelines
  • DevSecOps Integration
Learn More

3. Affected software

Software that uses different security roles or contains security features can be affected by this weakness.

4. Severity and CVSS Scoring

This weakness is usually called a backdoor and is scored with the highest severity rating. Existence of hardcoded or hidden administrative account should be scored as:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) – Critical severity.


We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

5. Mitigations

There is no general recommendations to mitigate this weakness. Existence of backdoor within an application requires immediate attention of security personnel. The following measures are recommended depending on type of possible threat and consequences of unauthorized access:

  1. Implement access restriction policies. If the product has access to untrusted networks use proper ACLs based on IP addresses, protocols, etc,
  2. Disconnect it immediately if product is a part of critical infrastructure,
  3. Monitor network connectivity to ensure no confidential information has been leaked and record all attempts to gain unauthorized access.
  4. 6. References

    1. CWE-671: Lack of Administrator Control over Security [cwe.mitre.org]

    Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

    ↑ Back to Top
Ask a Question