Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors impacting a software solution’s code, architecture, implementation, or design, potentially exposing systems it’s running on to attacks.

MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs). They are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years which could lead to password stealing , DOS Attacks , APT , Supply chain attacks.

The list as given below.

RankCWE IDName
1CWE-787Out-of-bounds Write
2CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
3CWE-125Out-of-bounds Read
4CWE-20Improper Input Validation
5CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
6CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
7CWE-416Use After Free
8CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
9CWE-352Cross-Site Request Forgery (CSRF)
10CWE-434Unrestricted Upload of File with Dangerous Type
11CWE-306Missing Authentication for Critical Function
12CWE-190Integer Overflow or Wraparound
13CWE-502Deserialization of Untrusted Data
14CWE-287Improper Authentication
15CWE-476NULL Pointer Dereference
16CWE-798Use of Hard-coded Credentials
17CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer
18CWE-862Missing Authorization
19CWE-276Incorrect Default Permissions
20CWE-200Exposure of Sensitive Information to an Unauthorized Actor
21CWE-522Insufficiently Protected Credentials
22CWE-732Incorrect Permission Assignment for Critical Resource
23CWE-611Improper Restriction of XML External Entity Reference
24CWE-918Server-Side Request Forgery (SSRF)
25CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Top 10 Exploited Vulnerabilities

Last year CISA,FBI released most exploited vulnerabilities between (2016-2019) list out of which the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. Transitioning away from end-of-life software as soon as possible as the easiest and quickest way to mitigate old unpatched security bugs.

Below is the list of vulnerabilities with NVD ID’s

CVEAssociated Malware
CVE-2017-11882Loki, FormBook, Pony/FAREIT
CVE-2017-0199FINSPY, LATENTBOT, Dridex
CVE-2019-0604China Chopper
CVE-2017-0143Multiple using the EternalSynergy and EternalBlue Exploit Kit
CVE-2017-8759FINSPY, FinFisher, WingBird
CVE-2015-1641Toshliph, Uwarrior