MITRE ATT&CK Top Most Software Bugs
Share this:
Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors impacting a software solution’s code, architecture, implementation, or design, potentially exposing systems it’s running on to attacks.
MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs). They are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years which could lead to password stealing , DOS Attacks , APT , Supply chain attacks.
The list as given below.
| Rank | CWE ID | Name |
| 1 | CWE-787 | Out-of-bounds Write |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| 3 | CWE-125 | Out-of-bounds Read |
| 4 | CWE-20 | Improper Input Validation |
| 5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| 6 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| 7 | CWE-416 | Use After Free |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| 11 | CWE-306 | Missing Authentication for Critical Function |
| 12 | CWE-190 | Integer Overflow or Wraparound |
| 13 | CWE-502 | Deserialization of Untrusted Data |
| 14 | CWE-287 | Improper Authentication |
| 15 | CWE-476 | NULL Pointer Dereference |
| 16 | CWE-798 | Use of Hard-coded Credentials |
| 17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| 18 | CWE-862 | Missing Authorization |
| 19 | CWE-276 | Incorrect Default Permissions |
| 20 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| 21 | CWE-522 | Insufficiently Protected Credentials |
| 22 | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 23 | CWE-611 | Improper Restriction of XML External Entity Reference |
| 24 | CWE-918 | Server-Side Request Forgery (SSRF) |
| 25 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) |
Top 10 Exploited Vulnerabilities
Last year CISA,FBI released most exploited vulnerabilities between (2016-2019) list out of which the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. Transitioning away from end-of-life software as soon as possible as the easiest and quickest way to mitigate old unpatched security bugs.
Below is the list of vulnerabilities with NVD ID’s
| CVE | Associated Malware |
| CVE-2017-11882 | Loki, FormBook, Pony/FAREIT |
| CVE-2017-0199 | FINSPY, LATENTBOT, Dridex |
| CVE-2017-5638 | JexBoss |
| CVE-2012-0158 | Dridex |
| CVE-2019-0604 | China Chopper |
| CVE-2017-0143 | Multiple using the EternalSynergy and EternalBlue Exploit Kit |
| CVE-2018-4878 | DOGCALL |
| CVE-2017-8759 | FINSPY, FinFisher, WingBird |
| CVE-2015-1641 | Toshliph, Uwarrior |
| CVE-2018-7600 | Kitty |
1 thought on “MITRE ATT&CK Top Most Software Bugs”