CWE-250
AllowedExecution with Unnecessary Privileges
Abstraction: Base · Status: Draft
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
575 vulnerabilities reference this CWE, most recent first.
GHSA-49PM-43HF-6XFQ
Vulnerability from github – Published: 2026-05-29 18:24 – Updated: 2026-06-12 19:31Impact
IPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data.
All users running ip-address-manager versions prior to the patched releases are affected.
Patches
Fixed in: - v1.11.7 - v1.12.4 - v1.13.0
Users should upgrade to the patched version for their release branch.
Workarounds
Manually remove the Secrets resource entry from the metal3-ipam-controller-manager-role ClusterRole:
# Remove this entire block from the ClusterRole
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
Resources
- https://github.com/metal3-io/ip-address-manager/pull/1355
- https://github.com/metal3-io/ip-address-manager/pull/1356 (backport to release-1.12)
- https://github.com/metal3-io/ip-address-manager/pull/1357 (backport to release-1.11)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.11.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/metal3-io/ip-address-manager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/metal3-io/ip-address-manager"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47190"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T18:24:45Z",
"nvd_published_at": "2026-06-12T16:16:29Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller\u0027s ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data.\n\nAll users running ip-address-manager versions prior to the patched releases are affected.\n\n### Patches\n\nFixed in:\n- v1.11.7\n- v1.12.4\n- v1.13.0\n\nUsers should upgrade to the patched version for their release branch.\n\n### Workarounds\n\nManually remove the Secrets resource entry from the metal3-ipam-controller-manager-role ClusterRole:\n\n```yaml\n# Remove this entire block from the ClusterRole\n- apiGroups:\n - \"\"\n resources:\n - secrets\n verbs:\n - create\n - delete\n - get\n - list\n - patch\n - update\n - watch\n```\n\n### Resources\n\n- https://github.com/metal3-io/ip-address-manager/pull/1355\n- https://github.com/metal3-io/ip-address-manager/pull/1356 (backport to release-1.12)\n- https://github.com/metal3-io/ip-address-manager/pull/1357 (backport to release-1.11)",
"id": "GHSA-49pm-43hf-6xfq",
"modified": "2026-06-12T19:31:26Z",
"published": "2026-05-29T18:24:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/metal3-io/ip-address-manager/security/advisories/GHSA-49pm-43hf-6xfq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47190"
},
{
"type": "WEB",
"url": "https://github.com/metal3-io/ip-address-manager/pull/1355"
},
{
"type": "WEB",
"url": "https://github.com/metal3-io/ip-address-manager/pull/1356"
},
{
"type": "WEB",
"url": "https://github.com/metal3-io/ip-address-manager/pull/1357"
},
{
"type": "PACKAGE",
"url": "https://github.com/metal3-io/ip-address-manager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "IPAM controller service account granted unnecessary full access to Secrets"
}
GHSA-4C6M-GMP8-84FQ
Vulnerability from github – Published: 2025-10-30 21:30 – Updated: 2025-10-30 21:30IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.
{
"affected": [],
"aliases": [
"CVE-2025-36137"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T19:16:23Z",
"severity": "HIGH"
},
"details": "IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.",
"id": "GHSA-4c6m-gmp8-84fq",
"modified": "2025-10-30T21:30:46Z",
"published": "2025-10-30T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36137"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7249678"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4C73-92CW-X6VQ
Vulnerability from github – Published: 2026-04-08 18:34 – Updated: 2026-04-08 18:34Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).
{
"affected": [],
"aliases": [
"CVE-2026-4498"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T17:21:24Z",
"severity": "HIGH"
},
"details": "Execution with Unnecessary Privileges (CWE-250) in Kibana\u2019s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agent policies, and settings management).",
"id": "GHSA-4c73-92cw-x6vq",
"modified": "2026-04-08T18:34:07Z",
"published": "2026-04-08T18:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4498"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4HHJ-H38J-CCW8
Vulnerability from github – Published: 2023-07-12 15:30 – Updated: 2024-01-25 18:30A vulnerability in Cisco BroadWorks could allow an authenticated, local attacker to elevate privileges to the root user on an affected device.
The vulnerability is due to insufficient input validation by the operating system CLI. An attacker could exploit this vulnerability by issuing a crafted command to the affected system. A successful exploit could allow the attacker to execute commands as the root user. To exploit this vulnerability, an attacker must have valid BroadWorks administrative privileges on the affected device.
{
"affected": [],
"aliases": [
"CVE-2023-20210"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T14:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Cisco BroadWorks could allow an authenticated, local attacker to elevate privileges to the root user on an affected device.\n\n The vulnerability is due to insufficient input validation by the operating system CLI. An attacker could exploit this vulnerability by issuing a crafted command to the affected system. A successful exploit could allow the attacker to execute commands as the root user. To exploit this vulnerability, an attacker must have valid BroadWorks administrative privileges on the affected device.",
"id": "GHSA-4hhj-h38j-ccw8",
"modified": "2024-01-25T18:30:37Z",
"published": "2023-07-12T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20210"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-privesc-yw4ekrXW"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4J6Q-QQ58-W4V4
Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31A vulnerability in the CLI of Cisco Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device.
This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for a specific CLI command. A successful exploit could allow the attacker to execute commands on the underlying operating system as root.
{
"affected": [],
"aliases": [
"CVE-2026-20017"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T18:16:16Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the CLI of Cisco Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device.\n\nThis vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for a specific CLI command. A successful exploit could allow the attacker to execute commands on the underlying operating system as\u0026nbsp;root.",
"id": "GHSA-4j6q-qq58-w4v4",
"modified": "2026-03-04T18:31:54Z",
"published": "2026-03-04T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20017"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-cmd-inj-mTzGZexf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4J9M-52H7-F59Q
Vulnerability from github – Published: 2023-03-13 21:30 – Updated: 2023-03-22 18:30Wondershare Dr.Fone v12.9.6 was discovered to contain weak permissions for the service WsDrvInst. This vulnerability allows attackers to escalate privileges via modifying or overwriting the executable.
{
"affected": [],
"aliases": [
"CVE-2023-27010"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-13T19:15:00Z",
"severity": "HIGH"
},
"details": "Wondershare Dr.Fone v12.9.6 was discovered to contain weak permissions for the service WsDrvInst. This vulnerability allows attackers to escalate privileges via modifying or overwriting the executable.",
"id": "GHSA-4j9m-52h7-f59q",
"modified": "2023-03-22T18:30:37Z",
"published": "2023-03-13T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27010"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/250.html"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/171301/Wondershare-Dr-Fone-12.9.6-Weak-Permissions-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4P2X-J6F2-872J
Vulnerability from github – Published: 2023-10-12 21:30 – Updated: 2024-04-04 08:36SnapCenter Plugin for VMware vSphere versions 4.6 prior to 4.9 are susceptible to a vulnerability which may allow authenticated unprivileged users to modify email and snapshot name settings within the VMware vSphere user interface.
{
"affected": [],
"aliases": [
"CVE-2023-27312"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-12T19:15:11Z",
"severity": "MODERATE"
},
"details": "SnapCenter Plugin for VMware vSphere versions 4.6 prior to 4.9 are \nsusceptible to a vulnerability which may allow authenticated \nunprivileged users to modify email and snapshot name settings within the\n VMware vSphere user interface.\n\n\n",
"id": "GHSA-4p2x-j6f2-872j",
"modified": "2024-04-04T08:36:10Z",
"published": "2023-10-12T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27312"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230713-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4QV4-VH73-Q92W
Vulnerability from github – Published: 2024-03-22 00:31 – Updated: 2024-08-27 21:31A privilege escalation issue existed in FileMaker Server, potentially exposing sensitive information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by reducing the information sent in requests.
{
"affected": [],
"aliases": [
"CVE-2023-42954"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T23:15:09Z",
"severity": "MODERATE"
},
"details": "A privilege escalation issue existed in FileMaker Server, potentially exposing sensitive information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by reducing the information sent in requests.",
"id": "GHSA-4qv4-vh73-q92w",
"modified": "2024-08-27T21:31:11Z",
"published": "2024-03-22T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42954"
},
{
"type": "WEB",
"url": "https://support.claris.com/s/answerview?anum=000041424\u0026language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4RCJ-4MWW-76CQ
Vulnerability from github – Published: 2026-03-23 03:31 – Updated: 2026-03-23 03:31GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.
During installation, ERM creates a Windows service that runs under the LocalSystem account.
When the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.
Functions such as 'Import Data' open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.
Any ERM function invoking Windows file open/save dialogs exposes the same risk.
This vulnerability allows local privilege escalation and may result in full system compromise.
{
"affected": [],
"aliases": [
"CVE-2026-4606"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-23T02:16:05Z",
"severity": "CRITICAL"
},
"details": "GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.\u00a0\n\nDuring installation, ERM creates a Windows service that runs under the LocalSystem account.\u00a0\n\nWhen the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.\u00a0\n\nFunctions such as \u0027Import Data\u0027 open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.\u00a0\n\nAny ERM function invoking Windows file open/save dialogs exposes the same risk.\u00a0\n\nThis vulnerability allows local privilege escalation and may result in full system compromise.",
"id": "GHSA-4rcj-4mww-76cq",
"modified": "2026-03-23T03:31:39Z",
"published": "2026-03-23T03:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4606"
},
{
"type": "WEB",
"url": "https://https://www.geovision.com.tw/cyber_security.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:I/V:C/RE:M/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-4W89-WF2P-R2RR
Vulnerability from github – Published: 2024-04-09 21:31 – Updated: 2024-08-24 00:30An issue in Canimaan Software LTD ClamXAV v3.1.2 through v3.6.1 and fixed in v.3.6.2 allows a local attacker to escalate privileges via the ClamXAV helper tool component.
{
"affected": [],
"aliases": [
"CVE-2024-24245"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:22Z",
"severity": "HIGH"
},
"details": "An issue in Canimaan Software LTD ClamXAV v3.1.2 through v3.6.1 and fixed in v.3.6.2 allows a local attacker to escalate privileges via the ClamXAV helper tool component.",
"id": "GHSA-4w89-wf2p-r2rr",
"modified": "2024-08-24T00:30:29Z",
"published": "2024-04-09T21:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24245"
},
{
"type": "WEB",
"url": "https://www.clamxav.com/version-history"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-18
Strategy: Separation of Privilege
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation MIT-18
Strategy: Attack Surface Reduction
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation
Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.
Mitigation MIT-19
When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.
Mitigation
If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.
Mitigation MIT-37
Strategy: Environment Hardening
Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-470: Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.