MITRE has shared this year’s top 25 list of the most common and dangerous software weaknesses behind more than 31,000 vulnerabilities disclosed between June 2023 and June 2024.
Software weaknesses refer to flaws, bugs, vulnerabilities, and errors found in software’s code, architecture, implementation, or design.
Attackers can exploit them to breach systems where the vulnerable software is running, enabling them to gain control over affected devices and access sensitive data or trigger denial-of-service attacks.
“Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working,” MITRE said today.
“Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place — benefiting both industry and government stakeholders.”
To create this year’s ranking, MITRE scored each weakness based on its severity and frequency after analyzing 31,770 CVE records for vulnerabilities that “would benefit from re-mapping analysis” and reported across 2023 and 2024, with a focus on security flaws added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
“This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services,” CISA added today.
“Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”
| Rank | ID | Name | Score | KEV CVEs | Change |
|---|---|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 56.92 | 3 | +1 |
| 2 | CWE-787 | Out-of-bounds Write | 45.20 | 18 | -1 |
| 3 | CWE-89 | SQL Injection | 35.88 | 4 | 0 |
| 4 | CWE-352 | Cross-Site Request Forgery (CSRF) | 19.57 | 0 | +5 |
| 5 | CWE-22 | Path Traversal | 12.74 | 4 | +3 |
| 6 | CWE-125 | Out-of-bounds Read | 11.42 | 3 | +1 |
| 7 | CWE-78 | OS Command Injection | 11.30 | 5 | -2 |
| 8 | CWE-416 | Use After Free | 10.19 | 5 | -4 |
| 9 | CWE-862 | Missing Authorization | 10.11 | 0 | +2 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.03 | 0 | 0 |
| 11 | CWE-94 | Code Injection | 7.13 | 7 | +12 |
| 12 | CWE-20 | Improper Input Validation | 6.78 | 1 | -6 |
| 13 | CWE-77 | Command Injection | 6.74 | 4 | +3 |
| 14 | CWE-287 | Improper Authentication | 5.94 | 4 | -1 |
| 15 | CWE-269 | Improper Privilege Management | 5.22 | 0 | +7 |
| 16 | CWE-502 | Deserialization of Untrusted Data | 5.07 | 5 | -1 |
| 17 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 5.07 | 0 | +13 |
| 18 | CWE-863 | Incorrect Authorization | 4.05 | 2 | +6 |
| 19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.05 | 2 | 0 |
| 20 | CWE-119 | Improper Operations Restriction in Memory Buffer Bounds | 3.69 | 2 | -3 |
| 21 | CWE-476 | NULL Pointer Dereference | 3.58 | 0 | -9 |
| 22 | CWE-798 | Use of Hard-coded Credentials | 3.46 | 2 | -4 |
| 23 | CWE-190 | Integer Overflow or Wraparound | 3.37 | 3 | -9 |
| 24 | CWE-400 | Uncontrolled Resource Consumption | 3.23 | 0 | +13 |
| 25 | CWE-306 | Missing Authentication for Critical Function | 2.73 | 5 | -5 |
CISA also regularly releases “Secure by Design” alerts highlighting the prevalence of widely known and documented vulnerabilities that have yet to be eliminated from software despite available and effective mitigations.
Some have been issued in response to ongoing malicious activity, like a July alert asking vendors to eliminate path OS command injection vulnerabilities exploited by Chinese Velvet Ant state hackers in recent attacks targeting Cisco, Palo Alto, and Ivanti network edge devices.
In May and March, the cybersecurity agency published two more “Secure by Design” alerts urging tech executives and software developers to prevent path traversal and SQL injection (SQLi) vulnerabilities in their products and code.
CISA also urged tech vendors to stop shipping software and devices with default passwords and small office/home office (SOHO) router manufacturers to secure them against Volt Typhoon attacks.
Last week, the FBI, the NSA, and Five Eyes cybersecurity authorities released a list of the top 15 routinely exploited security vulnerabilities last year, warning that attackers focused on targeting zero-days (security flaws that have been disclosed but are yet to be patched).
“In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day,” they cautioned.
