Privilege escalation
Privilege escalation is a cybersecurity technique employed by threat actors to obtain higher-level access rights or permissions within a computer system or network than those originally granted, often by exploiting vulnerabilities, misconfigurations, or weaknesses in security controls.[1] This process allows an attacker who has initially compromised a low-privilege account to elevate their status to that of an administrator or root user, enabling further malicious activities such as data exfiltration, ransomware deployment, or lateral movement across the network.[2] In essence, it undermines the principle of least privilege, a foundational security concept that restricts users to only the permissions necessary for their tasks, thereby amplifying the potential impact of an initial breach.[1] Privilege escalation attacks are broadly categorized into two types: vertical and horizontal. Vertical privilege escalation involves gaining elevated permissions beyond the attacker's current level, such as from a standard user to a system administrator, typically through exploiting software bugs, unpatched vulnerabilities, or improper access controls.[1] For instance, attackers might use buffer overflow exploits or manipulate sudo configurations in Linux environments to achieve root access.[1] Horizontal privilege escalation, on the other hand, entails accessing multiple accounts or resources at the same privilege level to broaden the scope of compromise, such as impersonating other users with equivalent rights to traverse a network undetected.[1] Additionally, these attacks can be classified as local, originating from within the system (e.g., by an insider), or remote, initiated externally via the internet.[2] Common vectors for privilege escalation include stolen credentials obtained through phishing or keyloggers, malware such as Trojans and rootkits that hijack processes, and misconfigurations like overly permissive file permissions or weak password policies.[2] Real-world examples highlight its prevalence and severity: in the 2013 Target data breach, which resulted in a settlement exceeding $18 million in 2017, attackers escalated privileges using vendor credentials, leading to the theft of millions of customer records; similarly, a 2021 Polkit vulnerability in Linux distributions allowed local users to gain root access, underscoring ongoing risks in open-source systems.[2] According to threat intelligence reports, approximately 30% of cyberattacks involve the use of compromised accounts to facilitate such escalations.[1] To mitigate privilege escalation, organizations should implement robust defenses including the enforcement of least privilege access, multi-factor authentication (MFA), regular patching of vulnerabilities, and endpoint detection and response (EDR) tools for real-time monitoring.[1] User training on phishing awareness and the adoption of zero-trust architectures further reduce the attack surface by verifying every access request regardless of origin.[2] These measures are critical, as privilege escalation remains a persistent tactic in advanced persistent threats (APTs) and ransomware campaigns, emphasizing its role as a pivotal step in the cyber kill chain.[2]Background
Definition
Privilege escalation refers to the process by which a user, application, or process obtains higher-level access rights or permissions than those initially granted, typically by exploiting vulnerabilities, misconfigurations, or flaws in access controls.[2] This technique allows unauthorized elevation from limited privileges, such as a standard user account, to administrative or system-level control, enabling deeper system manipulation.[3] At its core, privilege escalation involves circumventing security mechanisms like user authentication, role-based access controls, or sandboxing environments to attain elevated states, such as root or administrator access on operating systems.[2] For instance, attackers may target setuid binaries or kernel vulnerabilities to bypass these protections and execute code with greater authority.[4] One of the earliest notable instances of privilege escalation occurred in 1988 with the Morris Worm, which exploited a buffer overflow vulnerability in the fingerd service—a root-privileged daemon on Unix systems—to execute arbitrary code and gain root access, facilitating further propagation across networks.[5][6] The risks associated with successful privilege escalation are severe, including full system takeover, data exfiltration leading to breaches, or deployment of ransomware that encrypts critical resources.[2] According to the 2025 Verizon Data Breach Investigations Report, 60% of all breaches involve the human element, encompassing privilege misuse alongside errors, stolen credentials, and social engineering.[7] These incidents underscore the technique's role in amplifying attack impacts across industries. Privilege escalation manifests in forms such as vertical, elevating to higher privilege levels, and horizontal, expanding access laterally at the same level, though detailed mechanisms vary by context.[8]Types
Privilege escalation is fundamentally categorized into vertical and horizontal types, with hybrid or chained escalations representing combinations of these. Understanding these distinctions requires familiarity with core access control models that govern permissions in systems. Role-Based Access Control (RBAC) assigns permissions to roles rather than individual users, allowing users to assume roles for specific tasks, while Access Control Lists (ACLs) define permissions for specific resources by listing allowed entities.[9][10] These models enforce the principle of least privilege, and escalation occurs when an entity bypasses or exceeds these boundaries.[11] Vertical privilege escalation involves an entity gaining access to higher levels of privileges than originally granted, such as a standard user account elevating to administrative or root access. This type targets hierarchical privilege structures, where lower-tier accounts seek to control system-wide resources. Common vectors include kernel exploits that manipulate operating system vulnerabilities to bypass ring-level protections.[12] Vertical escalation can occur legitimately through authorized mechanisms, like thesudo command in Unix-like systems for temporary administrative tasks, or maliciously via unauthorized exploits that abuse misconfigurations or software flaws.[11][13]
Horizontal privilege escalation, in contrast, enables movement across entities at the same privilege level, such as accessing another user's data or account without elevating to a higher tier. This is prevalent in multi-tenant environments like shared cloud infrastructures or web applications, where segregation between peers is critical. For instance, an attacker might exploit improper session handling to impersonate a peer user with equivalent access rights.[11][14] Unlike vertical escalation, horizontal does not inherently increase absolute power but expands scope within the same stratum, often facilitating broader unauthorized actions.[13]
Hybrid or chained escalations conceptually combine vertical and horizontal movements, where an initial escalation (e.g., vertical to gain a foothold) enables subsequent lateral shifts (e.g., horizontal across systems). These chains exploit sequential vulnerabilities to achieve comprehensive control, modeling the process as a series of interconnected actions in security analyses.[15] Such combinations amplify impact but require coordinated exploitation paths.
Vertical Privilege Escalation
Mechanisms
Vertical privilege escalation involves techniques that enable an attacker to obtain higher-level access rights or permissions than originally granted, such as elevating from a standard user to an administrator or root user within a single system. This is achieved by exploiting software vulnerabilities, misconfigurations, or security weaknesses that allow unauthorized elevation of privileges.[16] One common mechanism is the exploitation of vulnerabilities in software or the operating system kernel. For instance, buffer overflow attacks overwrite memory to inject and execute malicious code with elevated privileges, while use-after-free errors in applications can lead to arbitrary code execution. In Linux environments, kernel exploits like race conditions permit writing to read-only files, enabling attackers to modify system configurations for root access. On Windows, flaws in kernel components, such as the Win32k subsystem, allow local users to escalate to SYSTEM privileges through crafted inputs.[17][18] Misconfigurations represent another key vector, particularly on Unix-like systems where setuid (SUID) binaries execute with the owner's privileges, often root. Attackers enumerate these using commands likefind / -perm -u=s -type f 2>/dev/null and exploit flaws in vulnerable SUID programs to spawn root shells. Improper sudo configurations, such as rules allowing passwordless execution of editors (e.g., vi or nano), can be abused to edit sensitive files like /etc/shadow as root. In Windows, unquoted service paths or weak permissions on service executables allow replacement with malicious binaries that run with higher privileges upon service restart.[17][18]
Credential-based methods involve extracting or cracking higher-privilege credentials from the compromised system. Tools like Mimikatz on Windows dump LSASS process memory to retrieve NTLM hashes or Kerberos tickets, enabling pass-the-hash attacks to authenticate as administrators. Malware, such as Trojans or rootkits, can facilitate escalation by hooking system calls to redirect execution to attacker-controlled code running under elevated contexts. Social engineering may also trick users into revealing admin credentials, though this often precedes technical exploitation.[19]
Examples
The Dirty COW vulnerability (CVE-2016-5195), disclosed in October 2016, affected Linux kernels from version 2.6.32 to 4.8.3, exploiting a race condition in the copy-on-write mechanism to gain write access to read-only memory mappings. Local users could overwrite privileged files, such as /etc/passwd, to insert root accounts, leading to full system compromise. This flaw was exploited in Android malware campaigns, impacting devices worldwide until patched in late 2016.[17] PrintNightmare (CVE-2021-34527), a 2021 vulnerability in the Windows Print Spooler service, allowed local attackers to execute arbitrary code as the SYSTEM user by abusing RPC interface calls for driver installation. Initially disclosed through proof-of-concept code, it was rapidly weaponized in ransomware operations like Conti, where attackers escalated from user-level access to deploy payloads and encrypt networks. Microsoft released emergency patches in July 2021, but exploitation continued into 2022.[18] The Baron Samedit vulnerability (CVE-2021-3156) in the sudo utility, affecting versions 1.8.2 through 1.9.5p1, enabled heap-based buffer overflows via the sudoedit plugin, allowing unprivileged users to execute commands as root without authentication. Disclosed in January 2021, it was exploited in the wild within 24 hours, targeting Linux distributions like Ubuntu and Debian for persistence and data exfiltration. Vendors issued patches shortly after, but legacy systems remained at risk as of 2023.[17] In the 2021 Microsoft Exchange Server attacks attributed to HAFNIUM, attackers used zero-day vulnerabilities (e.g., CVE-2021-26855) to achieve initial access, then escalated vertically via the ProxyLogon chain to run code as SYSTEM on on-premises servers. This enabled web shell deployment and theft of email data from over 250,000 organizations globally, highlighting risks in unpatched enterprise software.[16]Platform-Specific Cases
In iOS devices, jailbreaking represents a form of vertical privilege escalation where users exploit vulnerabilities to gain root access, bypassing Apple's restrictions on the locked-down operating system. A prominent example is the checkm8 bootrom exploit, disclosed in 2019, which targets the SecureROM (BootROM) firmware in Apple A5 to A11 processors, enabling permanent, unpatchable code execution during the boot process on devices from the iPhone 4S to the iPhone X. This hardware-level vulnerability allows attackers or users to inject unsigned code early in the boot chain, facilitating full kernel access without software mitigations. The unc0ver jailbreak tool, released starting in 2019 and updated through 2021, leverages checkm8 on compatible hardware alongside kernel exploits like the tfp0 vulnerability to achieve semi-untethered root access on iOS versions up to 14.8, preserving some security layers such as code signing while enabling package managers like Cydia.[20][21][22][23] Android rooting, another vertical escalation technique, exploits the open-source Linux kernel, contrasting with iOS's proprietary codebase and enabling broader community-driven tools for superuser privileges. The Dirty Pipe vulnerability (CVE-2022-0847), disclosed in 2022, affects Linux kernels 5.8 and later—including many Android versions—allowing local attackers with read access to pipes to overwrite data in read-only files, such as those in /etc or kernel modules, leading to root shell access through injected code. Tools like KingRoot, a one-click APK-based rooter active since 2013, exploit similar kernel flaws via temporary root to install persistent superuser binaries, supporting devices on Android 4.2 to 5.1 and beyond through chained vulnerabilities. Magisk, an open-source systemless rooting framework developed since 2016, uses Dirty Pipe-like exploits to patch the boot image without modifying the system partition, hiding root from apps via module overlays and supporting Android 6.0 and higher. This open-kernel nature facilitates faster evolution of rooting methods compared to iOS, with exploits often ported from upstream Linux fixes.[24][25][26][27][28] On macOS, privilege escalation often involves bypassing Gatekeeper, Apple's mechanism for verifying signed and notarized apps, through exploits in the XNU kernel or signing processes. In 2021, attackers exploited CVE-2021-30657, a flaw in Gatekeeper's handling of hardened runtime entitlements, allowing unsigned or malicious code execution within signed app bundles downloaded via browsers that fail to apply quarantine attributes. This kernel-linked issue in XNU enabled local privilege escalation by injecting payloads into trusted apps, as seen in watering hole attacks targeting Safari users with chained exploits for arbitrary code execution. Another 2021 vector involved signed app exploits like those in Shlayer malware, which abused installer packages (.pkg) to bypass notarization checks during elevated privilege prompts, granting root access on macOS Big Sur and earlier.[29][30][31][32] The evolution of iOS jailbreaking has shifted toward untethered and semi-untethered methods post-2015, reducing reliance on tethered reboots that required a host computer for kernel repatching after power cycles. This transition began with the Pangu9 tool in October 2015, providing the first untethered jailbreak for iOS 9.0-9.0.2 via a kernel exploit that persisted across reboots without hardware intervention. Subsequent tools like Yalu (2016) and Electra (2018) built on this, exploiting XNU kernel bugs for full autonomy, while checkm8's 2019 hardware foundation enabled permanent untethered roots on older devices, marking a decline in tethered techniques due to improved exploit chains and user demand for seamless operation.[33][34]Type-Specific Mitigations
To counter vertical privilege escalation, organizations must prioritize vulnerability management, including regular patching of operating systems and applications to address known exploits like kernel flaws. Automated patch deployment and vulnerability scanning tools, such as Nessus or OpenVAS, help identify unpatched systems; for Linux, kernels should be updated promptly, and unnecessary SUID binaries removed or audited using tools like Lynis. As of 2025, maintaining systems on supported versions reduces exposure to legacy vulnerabilities.[19] The principle of least privilege is fundamental, restricting user accounts to minimal permissions and avoiding standing admin rights. Role-based access control (RBAC) enforces this by granting elevated access only when needed, while on Unix systems, sudoers files should specify precise commands and require passwords for sensitive operations. In Windows, User Account Control (UAC) prompts for elevations, and disabling unnecessary services like Print Spooler mitigates specific vectors. Periodic privilege audits using tools like PowerShell scripts or sudo -l enumeration prevent misconfigurations.[16][18] Multi-factor authentication (MFA) for privileged accounts blocks unauthorized use of stolen credentials, even if dumped via tools like Mimikatz. Endpoint detection and response (EDR) solutions monitor for indicators of escalation, such as anomalous process creations or memory access patterns, enabling automated isolation. Just-in-time (JIT) privilege elevation, available in platforms like Azure AD, provides temporary admin access with logging and revocation after use, minimizing persistent high-privilege exposure. User training on recognizing social engineering further reduces risks.[19]Horizontal Privilege Escalation
Mechanisms
Horizontal privilege escalation involves techniques that allow an attacker to move laterally within a system or network by assuming the privileges of another entity at the same access level, such as from one user account to another peer account, without elevating to higher tiers like administrator or root. These mechanisms exploit shared authentication artifacts, session controls, or configuration weaknesses to enable unauthorized access to resources intended for equivalent privilege holders. Unlike vertical escalation, which targets higher privileges, horizontal methods focus on pivoting across similar-tier accounts to expand control over the environment.[19] One common technique is token manipulation, particularly in Windows environments, where attackers duplicate or steal access tokens associated with user sessions to impersonate other accounts at the same privilege level. Access tokens in Windows represent a user's security context and are used to authorize actions; by copying a token from a process owned by another user, an attacker can spawn new processes or authenticate remotely under that identity, facilitating lateral movement across machines. This often involves dumping tokens from the Local Security Authority Subsystem Service (LSASS) process, which stores active logon sessions, using tools like Mimikatz to extract and manipulate them for reuse in the same privilege tier. For instance, Mimikatz's token manipulation modules allow injection of stolen tokens into the attacker's session, enabling access to network shares or services as the targeted peer user.[35][36] Session hijacking represents another key mechanism, where attackers intercept or steal active sessions to pivot between users at equivalent access levels. In Remote Desktop Protocol (RDP) scenarios, adversaries can hijack established sessions using native Windows tools like tscon.exe, which reconnects a session to the console without requiring credentials, provided the attacker has local system access on the target machine. This allows seamless takeover of another user's RDP session for lateral navigation within the network, such as accessing shared resources or further systems under the hijacked identity. Similarly, in web applications, session hijacking exploits stolen session tokens—often via sniffing, cross-site scripting (XSS), or prediction—to impersonate another user at the same role, enabling unauthorized actions like viewing or modifying peer data without authentication prompts.[37][38] Misconfiguration exploits, such as weak access control lists (ACLs), provide opportunities for horizontal escalation by permitting unintended reads or writes across accounts at the same privilege tier. ACLs define permissions on files, directories, or objects; overly permissive settings, like granting "Everyone" full control on sensitive shares, allow a compromised low-privilege user to access or alter data belonging to another user in the same group. In web contexts, broken access controls manifest as insecure direct object references, where manipulating parameters (e.g., user IDs in URLs) lets an attacker retrieve or edit another user's information without proper authorization checks. These misconfigurations are prevalent, with studies showing an average incidence rate of 3.81% in tested applications, underscoring their role in enabling lateral data exfiltration or tampering at peer levels.[39] Pass-the-hash and pass-the-ticket attacks leverage stolen authentication material to authenticate laterally without knowing plaintext passwords, targeting same-tier credential reuse across systems. In pass-the-hash, attackers use captured NTLM password hashes—often from memory dumps—to directly authenticate to remote services like SMB shares or RDP, bypassing password validation and allowing movement as the original user account. Tools such as Mimikatz's sekurlsa::pth module facilitate this by injecting hashes into the current session for immediate use. Pass-the-ticket extends this to Kerberos environments, where stolen Kerberos tickets (e.g., ticket-granting tickets or service tickets) are exported and imported to access resources on behalf of the ticket's owner, enabling horizontal pivoting in Active Directory domains. Both techniques exploit credential persistence in memory or caches, with variants like overpass-the-hash combining them to generate tickets from hashes for broader lateral reach.[40][41]Examples
One prominent example of horizontal privilege escalation in web applications occurred during the 2017 Equifax data breach, where attackers exploited a remote code execution vulnerability in Apache Struts (CVE-2017-5638). This flaw enabled initial unauthorized access to Equifax's web application, after which the intruders traversed the internal network to reach the consumer dispute portal database, allowing them to laterally access and exfiltrate sensitive personal data belonging to approximately 147 million individuals across multiple user accounts and sessions.[42] The breach highlighted how peer-level network traversal can facilitate unauthorized data access without needing elevated system privileges, as the attackers operated within the application's privilege context to hop between interconnected components.[43] In network environments, the EternalBlue exploit, leveraged in the 2017 WannaCry ransomware campaign, demonstrated horizontal privilege escalation through automated peer-to-peer propagation. EternalBlue (MS17-010) targeted a vulnerability in the Windows Server Message Block (SMB) protocol, permitting remote code execution on unpatched systems and enabling the malware to scan and infect other machines within the same domain or local network at the same privilege level, such as from one workstation to another.[44] This "worm-like" behavior allowed WannaCry to compromise over 200,000 systems globally in a single day by hopping between similarly privileged endpoints, encrypting files and demanding ransom without requiring vertical elevation.[45] Database systems are also susceptible to horizontal privilege escalation via SQL injection attacks, which can manipulate queries to access schemas or records belonging to other users at the same access level. For instance, an attacker might alter a parameterized query intended for a specific user's data—such asSELECT * FROM users WHERE id = 'input'—to SELECT * FROM users WHERE id = '1' OR '1'='1', dumping the entire table and enabling peer-to-peer data exposure. Elements of this were evident in the 2019 Capital One breach, where a server-side request forgery vulnerability in a web application led to the acquisition of temporary AWS IAM credentials, allowing lateral access to S3 buckets containing credit card applications and personal data from over 100 million customers across shared storage schemas.[46] Although not a direct SQL injection, the incident underscored how flawed access controls in cloud databases can mimic horizontal escalation by permitting unauthorized traversal to peer resources.[47]
A more recent case is the 2021 Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j, widely exploited in 2022 for horizontal movement in Java-based applications. This remote code execution flaw occurs when user-controlled input is logged, triggering JNDI lookups that download and execute malicious code from remote servers, enabling attackers to pivot laterally across networked Java services—such as from one application server to others in the same environment—gaining equivalent access to peer systems without initial privilege elevation.[48] In affected enterprise deployments, this facilitated widespread lateral propagation, as seen in attacks on Minecraft servers and cloud infrastructures where compromised nodes infected adjacent instances at the same security tier.[49]