Thursday, December 5, 2024
HomeCVE/vulnerabilityMITRE Releases Top 25 Most Dangerous Software Weaknesses

MITRE Releases Top 25 Most Dangerous Software Weaknesses

Published on

SIEM as a Service

The top 25 most dangerous software weaknesses impacting software for the previous two calendar years have been published by MITRE as part of the 2023 Common Weaknesses Enumeration (CWE).

Attackers can utilize these flaws to seize control of a vulnerable system, steal data, or disrupt the functioning of certain programs. Because of these flaws, software becomes seriously vulnerable.

“These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working,” CISA advised.

- Advertisement - SIEM as a Service

Software defects cover a wide variety of problems, such as holes, bugs, weaknesses, and mistakes in the architecture, implementation, code, or design of software solutions.

With a focus on the CVE records added to CISA’s Known Exploited Vulnerabilities (KEV) database, MITRE evaluated 43,996 CVE entries from NIST’s National Vulnerability Database (NVD) for vulnerabilities discovered and reported across 2021 and 2022 to compile this list.

Each weakness was then given a score based on its severity and prevalence.

Following the gathering, scoping, and remapping stages, a scoring formula was used to determine the weaknesses in order of severity. 

This formula takes into account both the frequency (the frequency with which a CWE is the primary cause of a vulnerability) and the average severity of each vulnerability when it is exploited (as determined by the CVSS score), according to MITRE.

Both frequency and severity are normalized concerning the maximum and minimum values recorded in the data set.

Top 25 Software Weaknesses

RankIDNameScoreCVEs in KEVRank Change
1CWE-787Out-of-bounds Write63.72700
2CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45.5440
3CWE-89Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’)34.2760
4CWE-416Use After Free16.7144+3
5CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)15.6523+1
6CWE-20Improper Input Validation15.5035-2
7CWE-125Out-of-bounds Read14.602-2
8CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.11160
9CWE-352Cross-Site Request Forgery (CSRF)11.7300
10CWE-434Unrestricted Upload of File with Dangerous Type10.4150
11CWE-862Missing Authorization6.900+5
12CWE-476NULL Pointer Dereference6.590-1
13CWE-287Improper Authentication6.3910+1
14CWE-190Integer Overflow or Wraparound5.894-1
15CWE-502Deserialization of Untrusted Data5.5614-3
16CWE-77Improper Neutralization of Special Elements Used in a Command (‘Command Injection’)4.954+1
17CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer4.757+2
18CWE-798Use of Hard-coded Credentials4.572-3
19CWE-918Server-Side Request Forgery (SSRF)4.5616+2
20CWE-306Missing Authentication for Critical Function3.788-2
21CWE-362Concurrent Execution using Shared Resources with Improper Synchronization (‘Race Condition’)3.538+1
22CWE-269Improper Privilege Management3.315+7
23CWE-94Improper Control of Generation of Code (‘Code Injection’)3.306+2
24CWE-863Incorrect Authorization3.160+4
25CWE-276Incorrect Default Permissions3.160-5
Top 25 Most Dangerous Software Weaknesses

The list highlights the most prevalent and significant software flaws at the moment. These can result in exploitable vulnerabilities that enable adversaries to take over a system entirely, steal data, or stop apps from running.

They are frequently simple to detect and exploit. Successful exploitation can provide attackers access to sensitive data, exfiltrate the data, or cause a denial-of-service (DoS) on the targeted computers.

CISA urges developers and product security response teams to analyze the CWE Top 25 and assess suggested mitigations to choose the ones that are most appropriate for adoption.

“CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt”, CISA said.

“Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk”.

Additionally, CISA, the FBI, the Australian Cyber Security Centre (ACSC), and the UK’s National Cyber Security Centre (NCSC) all released a list of often exploited issues for 2020.

A list of the top 10 most often exploited security issues from 2016 to 2019 has also been provided by CISA and the FBI.

The most hazardous programming, design, and architectural security issues that affect hardware systems are also listed by MITRE in a list.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...