Sign in Subscribe

MITRE Publishes List of the 25 Most Dangerous Software Weaknesses of 2025

MITRE Publishes List of the 25 Most Dangerous Software Weaknesses of 2025

MITRE released its annual ranking of the 25 most dangerous software weaknesses, based on analysis of more than 39,000 vulnerabilities disclosed between June 2024 and June 2025.

MITRE developed the report with HSSEDI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which jointly oversee the Common Weakness Enumeration (CWE) program.

Software weaknesses include bugs, flaws, and errors in code, architecture, implementation, or design. These weaknesses create entry points for attackers seeking device control, sensitive data access, or denial-of-service conditions.

The weaknesses use CWE (Common Weakness Enumeration) identifiers, distinct from CVE identifiers. CWEs represent root causes or categories of flaws that produce specific exploitable vulnerabilities (CVEs). MITRE analyzed 39,080 CVEs published over the past year, assessing each for prevalence and potential impact.

Top Weaknesses

Cross-site Scripting (XSS, CWE-79) held first place for another year. The report notes significant increases in Missing Authorization (CWE-862), NULL Pointer Dereference (CWE-476), and Missing Authentication for Critical Function (CWE-306).

Several classic errors entered the top 25, including Stack-based and Heap-based Buffer Overflows, plus Improper Access Control and Allocation of Resources Without Limits or Throttling.

2025 Top 25 CWE List:

  1. CWE-79: Cross-site Scripting (Score: 60.38, KEV: 70, Change: —)
  2. CWE-89: SQL Injection (28.72, 4, +1)
  3. CWE-352: Cross-Site Request Forgery (13.64, 0, +1)
  4. CWE-862: Missing Authorization (13.28, 0, +5)
  5. CWE-787: Out-of-bounds Write (12.68, 12, -3)
  6. CWE-22: Path Traversal (8.99, 10, -1)
  7. CWE-416: Use After Free (8.47, 14, +1)
  8. CWE-125: Out-of-bounds Read (7.88, 3, -2)
  9. CWE-78: OS Command Injection (7.85, 20, -2)
  10. CWE-94: Code Injection (7.57, 7, +1)
  11. CWE-120: Classic Buffer Overflow (6.96, 0, New)
  12. CWE-434: Unrestricted Upload of File with Dangerous Type (6.87, 4, -2)
  13. CWE-476: NULL Pointer Dereference (6.41, 0, +8)
  14. CWE-121: Stack-based Buffer Overflow (5.75, 4, New)
  15. CWE-502: Deserialization of Untrusted Data (5.23, 11, +1)
  16. CWE-122: Heap-based Buffer Overflow (5.21, 6, New)
  17. CWE-863: Incorrect Authorization (4.14, 4, +1)
  18. CWE-20: Improper Input Validation (4.09, 2, -6)
  19. CWE-284: Improper Access Control (4.07, 1, New)
  20. CWE-200: Exposure of Sensitive Information (4.01, 1, -3)
  21. CWE-306: Missing Authentication for Critical Function (3.47, 11, +4)
  22. CWE-918: Server-Side Request Forgery (3.36, 0, -3)
  23. CWE-77: Command Injection (3.15, 2, -10)
  24. CWE-639: Authorization Bypass Through User-Controlled Key (2.62, 0, +6)
  25. CWE-770: Allocation of Resources Without Limits or Throttling (2.54, 0, +1)

CISA noted the Top 25 CWE list reflects critical weaknesses attackers exploit in real-world campaigns. Organizations should consider this ranking when developing software security strategies.

Development teams should study the ranking and adopt Secure by Design principles. Security professionals should use the list to prioritize vulnerability remediation and focus testing efforts on the most exploited weakness categories.