MITRE has shared this yr’s prime 25 record of probably the most harmful software program weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
The record was launched in cooperation with the Homeland Safety Methods Engineering and Improvement Institute (HSSEDI) and the Cybersecurity and Infrastructure Safety Company (CISA), which handle and sponsor the Frequent Weak point Enumeration (CWE) program.
Software program weaknesses could be flaws, bugs, vulnerabilities, or errors present in a software program’s code, implementation, structure, or design, and attackers can abuse them to breach techniques operating the susceptible software program. Profitable exploitation permits risk actors to achieve management over compromised gadgets and set off denial-of-service assaults or entry delicate knowledge.
To create this yr’s rating, MITRE scored every weak spot based mostly on its severity and frequency after analyzing 39,080 CVE Data for vulnerabilities reported between June 1, 2024, and June 1, 2025.
Whereas Cross-Website Scripting (CWE-79) nonetheless retains its spot on the prime of the Prime 25, there have been many adjustments in rankings from final yr’s record, together with Lacking Authorization (CWE-862), Null Pointer Dereference (CWE-476), and Lacking Authentication (CWE-306), which have been the largest movers up the record.
The brand new entries on this yr’s top-most extreme and prevalent weaknesses are Basic Buffer Overflow (CWE-120), Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122), Improper Entry Management (CWE-284), Authorization Bypass By means of Consumer-Managed Key (CWE-639), and Allocation of Sources With out Limits or Throttling (CWE-770).
| Rank | ID | Identify | Rating | KEV CVEs | Change |
|---|---|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 60.38 | 7 | 0 |
| 2 | CWE-89 | SQL Injection | 28.72 | 4 | +1 |
| 3 | CWE-352 | Cross-Website Request Forgery (CSRF) | 13.64 | 0 | +1 |
| 4 | CWE-862 | Lacking Authorization | 13.28 | 0 | +5 |
| 5 | CWE-787 | Out-of-bounds Write | 12.68 | 12 | -3 |
| 6 | CWE-22 | Path Traversal | 8.99 | 10 | -1 |
| 7 | CWE-416 | Use After Free | 8.47 | 14 | +1 |
| 8 | CWE-125 | Out-of-bounds Learn | 7.88 | 3 | -2 |
| 9 | CWE-78 | OS Command Injection | 7.85 | 20 | -2 |
| 10 | CWE-94 | Code Injection | 7.57 | 7 | +1 |
| 11 | CWE-120 | Basic Buffer Overflow | 6.96 | 0 | N/A |
| 12 | CWE-434 | Unrestricted Add of File with Harmful Kind | 6.87 | 4 | -2 |
| 13 | CWE-476 | NULL Pointer Dereference | 6.41 | 0 | +8 |
| 14 | CWE-121 | Stack-based Buffer Overflow | 5.75 | 4 | N/A |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.23 | 11 | +1 |
| 16 | CWE-122 | Heap-based Buffer Overflow | 5.21 | 6 | N/A |
| 17 | CWE-863 | Incorrect Authorization | 4.14 | 4 | +1 |
| 18 | CWE-20 | Improper Enter Validation | 4.09 | 2 | -6 |
| 19 | CWE-284 | Improper Entry Management | 4.07 | 1 | N/A |
| 20 | CWE-200 | Publicity of Delicate Info | 4.01 | 1 | -3 |
| 21 | CWE-306 | Lacking Authentication for Crucial Perform | 3.47 | 11 | +4 |
| 22 | CWE-918 | Server-Facet Request Forgery (SSRF) | 3.36 | 0 | -3 |
| 23 | CWE-77 | Command Injection | 3.15 | 2 | -10 |
| 24 | CWE-639 | Authorization Bypass through Consumer-Managed Key | 2.62 | 0 | +6 |
| 25 | CWE-770 | Allocation of Sources w/o Limits or Throttling | 2.54 | 0 | +1 |
“Usually straightforward to seek out and exploit, these can result in exploitable vulnerabilities that permit adversaries to utterly take over a system, steal knowledge, or stop purposes from working,” MITRE mentioned.
“This annual record identifies probably the most vital weaknesses adversaries exploit to compromise techniques, steal knowledge, or disrupt companies. CISA and MITRE encourage organizations to assessment this record and use it to tell their respective software program security methods,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added.
Lately, CISA has issued a number of “Safe by Design” alerts spotlighting the prevalence of broadly documented vulnerabilities that stay in software program regardless of obtainable mitigations.
A few of these alerts have been launched in response to ongoing malicious campaigns, comparable to a July 2024 alert asking tech corporations to get rid of path OS command injection weaknesses exploited by the Chinese language Velvet Ant state hackers in assaults focusing on Cisco, Palo Alto, and Ivanti community edge gadgets.
This week, the cybersecurity company suggested builders and product groups to assessment the 2025 CWE Prime 25 to establish key weaknesses and undertake Safe by Design practices, whereas security groups have been requested to combine it into their app security testing and vulnerability administration processes.
In April 2025, CISA additionally introduced that the U.S. authorities had prolonged MITRE’s funding for one more 11 months to make sure continuity of the vital Frequent Vulnerabilities and Exposures (CVE) program, following a warning from MITRE VP Yosry Barsoum that authorities funding for the CVE and CWE applications was set to run out.
Damaged IAM is not simply an IT downside – the influence ripples throughout your entire enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with fashionable calls for, examples of what “good” IAM appears to be like like, and a easy guidelines for constructing a scalable technique.
