MITRE’s New CWE 25 List Released
Share this:
The US government has published a list of the most common and impactful software weaknesses of the past two years.
The CWE Top 25 list was announced by the Homeland Security Systems Engineering and Development Institute, sponsored by the DHS and operated by non-profit MITRE.
Software weaknesses are errors, bugs, flaws and more that can lead to vulnerabilities. Unlike the Common Vulnerabilities and Exposures (CVE) system, which provides a number for each discovered vulnerability, Common Weakness Enumeration (CWE) is more like a glossary of generic weakness types. In other words, it refers to types of software weakness rather than specific vulnerabilities.
Out-of-bounds write tops the list, followed by cross-site scripting and SQL injection. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.
CISA urged developers and product security teams to review the top 25 list and decide which of the recommended mitigations to adopt. It explained that more articles will be published over the coming weeks to explain the methodology for calculating the top 25, vulnerability mapping trends and more.
CWEs are becoming increasingly important as developers and security teams look to avoid the root causes that can become vulnerabilities. In 2022, a record number (25,096) of CVEs were published to the NVD. This was a 25% year-on-year increase and the sixth year in a row that the volume of newly discovered vulnerabilities hit an all-time high.
| Rank | ID | Name | Score | CVEs in KEV | Rank Change vs. 2022 |
| 1 | CWE-787 | Out-of-bounds Write | 63.72 | 70 | 0 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.54 | 4 | 0 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 34.27 | 6 | 0 |
| 4 | CWE-416 | Use After Free | 16.71 | 44 | 3 |
| 5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 15.65 | 23 | 1 |
| 6 | CWE-20 | Improper Input Validation | 15.5 | 35 | -2 |
| 7 | CWE-125 | Out-of-bounds Read | 14.6 | 2 | -2 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.11 | 16 | 0 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.73 | 0 | 0 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.41 | 5 | 0 |
| 11 | CWE-862 | Missing Authorization | 6.9 | 0 | 5 |
| 12 | CWE-476 | NULL Pointer Dereference | 6.59 | 0 | -1 |
| 13 | CWE-287 | Improper Authentication | 6.39 | 10 | 1 |
| 14 | CWE-190 | Integer Overflow or Wraparound | 5.89 | 4 | -1 |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.56 | 14 | -3 |
| 16 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 4.95 | 4 | 1 |
| 17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.75 | 7 | 2 |
| 18 | CWE-798 | Use of Hard-coded Credentials | 4.57 | 2 | -3 |
| 19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.56 | 16 | 2 |
| 20 | CWE-306 | Missing Authentication for Critical Function | 3.78 | 8 | -2 |
| 21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.53 | 8 | 1 |
| 22 | CWE-269 | Improper Privilege Management | 3.31 | 5 | 7 |
| 23 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.3 | 6 | 2 |
| 24 | CWE-863 | Incorrect Authorization | 3.16 | 0 | 4 |
| 25 | CWE-276 | Incorrect Default Permissions | 3.16 | 0 | -5 |
