MITRE has shared this 12 months’s high 25 listing of probably the most harmful software program weaknesses behind over 39,000 safety vulnerabilities disclosed between June 2024 and June 2025.
The listing was launched in cooperation with the Homeland Safety Programs Engineering and Improvement Institute (HSSEDI) and the Cybersecurity and Infrastructure Safety Company (CISA), which handle and sponsor the Frequent Weak spot Enumeration (CWE) program.
Software program weaknesses could be flaws, bugs, vulnerabilities, or errors present in a software program’s code, implementation, structure, or design, and attackers can abuse them to breach programs operating the susceptible software program. Profitable exploitation permits risk actors to achieve management over compromised gadgets and set off denial-of-service assaults or entry delicate knowledge.
To create this 12 months’s rating, MITRE scored every weak point primarily based on its severity and frequency after analyzing 39,080 CVE Data for vulnerabilities reported between June 1, 2024, and June 1, 2025.
Whereas Cross-Web site Scripting (CWE-79) nonetheless retains its spot on the high of the Prime 25, there have been many adjustments in rankings from final 12 months’s listing, together with Lacking Authorization (CWE-862), Null Pointer Dereference (CWE-476), and Lacking Authentication (CWE-306), which have been the most important movers up the listing.
The brand new entries on this 12 months’s top-most extreme and prevalent weaknesses are Basic Buffer Overflow (CWE-120), Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122), Improper Entry Management (CWE-284), Authorization Bypass By way of Consumer-Managed Key (CWE-639), and Allocation of Assets With out Limits or Throttling (CWE-770).
| Rank | ID | Identify | Rating | KEV CVEs | Change |
|---|---|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 60.38 | 7 | 0 |
| 2 | CWE-89 | SQL Injection | 28.72 | 4 | +1 |
| 3 | CWE-352 | Cross-Web site Request Forgery (CSRF) | 13.64 | 0 | +1 |
| 4 | CWE-862 | Lacking Authorization | 13.28 | 0 | +5 |
| 5 | CWE-787 | Out-of-bounds Write | 12.68 | 12 | -3 |
| 6 | CWE-22 | Path Traversal | 8.99 | 10 | -1 |
| 7 | CWE-416 | Use After Free | 8.47 | 14 | +1 |
| 8 | CWE-125 | Out-of-bounds Learn | 7.88 | 3 | -2 |
| 9 | CWE-78 | OS Command Injection | 7.85 | 20 | -2 |
| 10 | CWE-94 | Code Injection | 7.57 | 7 | +1 |
| 11 | CWE-120 | Basic Buffer Overflow | 6.96 | 0 | N/A |
| 12 | CWE-434 | Unrestricted Add of File with Harmful Kind | 6.87 | 4 | -2 |
| 13 | CWE-476 | NULL Pointer Dereference | 6.41 | 0 | +8 |
| 14 | CWE-121 | Stack-based Buffer Overflow | 5.75 | 4 | N/A |
| 15 | CWE-502 | Deserialization of Untrusted Knowledge | 5.23 | 11 | +1 |
| 16 | CWE-122 | Heap-based Buffer Overflow | 5.21 | 6 | N/A |
| 17 | CWE-863 | Incorrect Authorization | 4.14 | 4 | +1 |
| 18 | CWE-20 | Improper Enter Validation | 4.09 | 2 | -6 |
| 19 | CWE-284 | Improper Entry Management | 4.07 | 1 | N/A |
| 20 | CWE-200 | Publicity of Delicate Data | 4.01 | 1 | -3 |
| 21 | CWE-306 | Lacking Authentication for Crucial Operate | 3.47 | 11 | +4 |
| 22 | CWE-918 | Server-Aspect Request Forgery (SSRF) | 3.36 | 0 | -3 |
| 23 | CWE-77 | Command Injection | 3.15 | 2 | -10 |
| 24 | CWE-639 | Authorization Bypass by way of Consumer-Managed Key | 2.62 | 0 | +6 |
| 25 | CWE-770 | Allocation of Assets w/o Limits or Throttling | 2.54 | 0 | +1 |
“Usually straightforward to seek out and exploit, these can result in exploitable vulnerabilities that permit adversaries to fully take over a system, steal knowledge, or forestall functions from working,” MITRE mentioned.
“This annual listing identifies probably the most essential weaknesses adversaries exploit to compromise programs, steal knowledge, or disrupt providers. CISA and MITRE encourage organizations to overview this listing and use it to tell their respective software program safety methods,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added.
In recent times, CISA has issued a number of “Safe by Design” alerts spotlighting the prevalence of extensively documented vulnerabilities that stay in software program regardless of out there mitigations.
A few of these alerts have been launched in response to ongoing malicious campaigns, reminiscent of a July 2024 alert asking tech corporations to get rid of path OS command injection weaknesses exploited by the Chinese language Velvet Ant state hackers in assaults concentrating on Cisco, Palo Alto, and Ivanti community edge gadgets.
This week, the cybersecurity company suggested builders and product groups to overview the 2025 CWE Prime 25 to establish key weaknesses and undertake Safe by Design practices, whereas safety groups have been requested to combine it into their app safety testing and vulnerability administration processes.
In April 2025, CISA additionally introduced that the U.S. authorities had prolonged MITRE’s funding for an additional 11 months to make sure continuity of the essential Frequent Vulnerabilities and Exposures (CVE) program, following a warning from MITRE VP Yosry Barsoum that authorities funding for the CVE and CWE applications was set to run out.
Damaged IAM is not simply an IT drawback – the influence ripples throughout your entire enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with fashionable calls for, examples of what “good” IAM seems like, and a easy guidelines for constructing a scalable technique.
