MITRE Lists 25 Most Dangerous Software Weaknesses of 2024

MITRE has released its annual list of the top 25 most dangerous software weaknesses for 2024, highlighting critical vulnerabilities that pose significant risks to software systems worldwide.

This list, developed in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), is a crucial resource for developers, security professionals, and organizations aiming to bolster their cybersecurity defenses.

The 2024 CWE Top 25 list identifies the most severe and prevalent software weaknesses linked to over 31,770 Common Vulnerabilities and Exposures (CVE) records.

Adversaries often exploit these weaknesses to compromise systems, steal sensitive data, or disrupt essential services. The list is based on an analysis of CVE records from June 2023 to June 2024, focusing on vulnerabilities included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

Top 10 Most Dangerous Software Weaknesses

Here is a table listing the top 25 most dangerous software weaknesses of 2024 according to MITRE:

Rank	Weakness Name	CWE ID	Score	CVEs in KEV	Change
1	Cross-site Scripting	CWE-79	56.92	3	+1
2	Out-of-bounds Write	CWE-787	45.20	18	-1
3	SQL Injection	CWE-89	35.88	4	0
4	Cross-Site Request Forgery (CSRF)	CWE-352	19.57	0	+5
5	Path Traversal	CWE-22	12.74	4	+3
6	Out-of-bounds Read	CWE-125	11.42	3	+1
7	OS Command Injection	CWE-78	11.30	5	-2
8	Use After Free	CWE-416	10.19	5	-4
9	Missing Authorization	CWE-862	10.11	0	+2
10	Unrestricted Upload of File with Dangerous Type	CWE-434	10.03	0	0
11	Code Injection	CWE-94	7.13	7	+12
12	Improper Input Validation	CWE-20	6.78	1	-6
13	Command Injection	CWE-77	6.74	4	+3
14	Improper Authentication	CWE-287	5.94	4	-1
15	Improper Privilege Management	CWE-269	5.22	0	+7
16	Deserialization of Untrusted Data	CWE-502	5.07	5	-1
17	Exposure of Sensitive Information to an Unauthorized Actor	CWE-200	5.07	0	+13
18	Incorrect Authorization	CWE-863	4.05	2	+6
19	Server-Side Request Forgery (SSRF)	CWE-918	4.05	2	0
20	Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE-119	3.69	2	-3
21	NULL Pointer Dereference	CWE-476	3.58	0	-9
22	Use of Hard-coded Credentials	CWE-798	3.46	2	-4
23	Integer Overflow or Wraparound	CWE-190	3.37	3	-9
24	Uncontrolled Resource Consumption	CWE-400	3.23	0	+13
25	Missing Authentication for Critical Function	CWE-306	2.73	5	-5

This table provides a comprehensive overview of the top 25 software weaknesses, including their CWE IDs, scores, number of CVEs in the Known Exploited Vulnerabilities (KEV) catalog, and changes in ranking compared to the previous year.

The CWE Top 25 list is invaluable for guiding security investments and policies. By understanding the root causes of these vulnerabilities, organizations can implement strategies to prevent them from occurring.

This proactive approach enhances security and results in cost savings by reducing the need for post-deployment fixes.

Organizations are encouraged to integrate the CWE Top 25 into their software development lifecycle and procurement processes. By prioritizing these weaknesses, companies can mitigate risks and demonstrate a commitment to cybersecurity, enhancing customer trust.

Adopting Secure by Design practices is crucial for developers and security teams. This involves incorporating security measures at every stage of software development to prevent vulnerabilities from being introduced.

As cyber threats evolve, staying informed about the most dangerous software weaknesses is essential for maintaining robust cybersecurity defenses. The 2024 CWE Top 25 list provides a strategic framework for addressing these challenges and protecting critical systems from exploitation.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free