diff --git a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_groups/secgen_metadata.xml b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_groups/secgen_metadata.xml
index 0c81dd024..72d2b5805 100644
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_groups/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_groups/secgen_metadata.xml
@@ -9,7 +9,7 @@
   <description>Changes permissions on /etc/group file to 0777, local users can escalate to root by adding account to
     sudo. </description>
 
-  <type>access_controls</type>
+  <type>access_control_misconfiguration</type>
   <privilege>root_rw</privilege>
   <access>local</access>
   <platform>linux</platform>
diff --git a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/manifests/config.pp b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/manifests/config.pp
new file mode 100644
index 000000000..e86706e33
--- /dev/null
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/manifests/config.pp
@@ -0,0 +1,6 @@
+class writable_passwd::config {
+  file { '/etc/passwd':
+    ensure  => present,
+    mode    => '0777',
+  }
+}
diff --git a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/secgen_metadata.xml b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/secgen_metadata.xml
new file mode 100644
index 000000000..041151a16
--- /dev/null
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/secgen_metadata.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Writable Passwd File</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>Changes permissions on passwd file to 777, open to account tampering to local users.
+    This is not a common misconfiguration, and not particularly subtle.</description>
+
+  <type>access_control_misconfiguration</type>
+  <privilege>root_rw</privilege>
+  <access>local</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>medium</difficulty>
+  <cvss_base_score>6.6</cvss_base_score>
+  <cvss_vector>AV:L/AC:M/Au:S/C:C/I:C/A:C</cvss_vector>
+
+  <!--<solution>TODO:</solution>-->
+
+</vulnerability>
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/writable_passwd.pp b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/writable_passwd.pp
new file mode 100644
index 000000000..2d222b7b5
--- /dev/null
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/writable_passwd.pp
@@ -0,0 +1 @@
+include writable_passwd::config
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/system/parameterised_accounts/manifests/account.pp b/modules/vulnerabilities/unix/system/parameterised_accounts/manifests/account.pp
index 6138df569..81a52fc74 100644
--- a/modules/vulnerabilities/unix/system/parameterised_accounts/manifests/account.pp
+++ b/modules/vulnerabilities/unix/system/parameterised_accounts/manifests/account.pp
@@ -1,20 +1,28 @@
 define parameterised_accounts::account($username, $password, $super_user, $strings_to_leak, $leaked_filenames) {
-
-  # condition because ::accounts::user changes permissions on /etc/group so needs to run before vulns/writable_groups
-  if defined('writable_groups::config'){
+  # ::accounts::user changes permissions on group, passwd, shadow etc. so needs to run before
+  if defined('writable_groups::config') {
     include ::writable_groups::config
-    ::accounts::user { $username:
-      shell      => '/bin/bash',
-      password   => pw_hash($password, 'SHA-512', 'mysalt'),
-      managehome => true,
-      before     => File['/etc/group']
-    }
-  } else {
-    ::accounts::user { $username:
-      shell      => '/bin/bash',
-      password   => pw_hash($password, 'SHA-512', 'mysalt'),
-      managehome => true,
-    }
+    $writable_groups = [File['/etc/group']]
+  } else { $writable_groups = [] }
+
+  if defined('writable_passwd::config') {
+    include ::writable_passwd::config
+    $writable_passwd = [File['/etc/passwd']]
+  } else { $writable_passwd = [] }
+
+  if defined('writable_shadow::config') {
+    include ::writable_shadow::config
+    $writable_shadow = [File['/etc/shadow']]
+  } else { $writable_shadow = [] }
+
+  $misconfigurations = concat($writable_groups, $writable_passwd, $writable_shadow)
+
+  # Add user account
+  ::accounts::user { $username:
+    shell      => '/bin/bash',
+    password   => pw_hash($password, 'SHA-512', 'mysalt'),
+    managehome => true,
+    before     => $misconfigurations,
   }
 
   # sort groups if sudo add to conf
diff --git a/scenarios/examples/vulnerability_examples/access_control_misconfiguration_examples/writable_passwd.xml b/scenarios/examples/vulnerability_examples/access_control_misconfiguration_examples/writable_passwd.xml
new file mode 100644
index 000000000..69815ff16
--- /dev/null
+++ b/scenarios/examples/vulnerability_examples/access_control_misconfiguration_examples/writable_passwd.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<system>
+		<system_name>server</system_name>
+		<base platform="linux"/>
+
+		<vulnerability module_path=".*writable_passwd" type="access_control_misconfiguration"/>
+
+		<vulnerability module_path=".*parameterised_accounts">
+			<input into="accounts">
+				<generator type="account">
+					<input into="username">
+						<value>test</value>
+					</input>
+					<input into="password">
+						<value>test</value>
+					</input>
+				</generator>
+			</input>
+		</vulnerability>
+
+		<network type="private_network" range="dhcp"/>
+	</system>
+
+</scenario>