MITRE Reveals 25 Most Dangerous Software Vulnerabilities

MITRE has published its annual list of the CWE Top 25 Most Dangerous Software Weaknesses, identifying the key flaws behind more than 31,000 vulnerabilities disclosed between June 2023 and June 2024.

Key Trends and Changes in the 2024 List

• Cross-Site Scripting (XSS): XSS vulnerabilities have moved to the top of the list, rising from second place in 2023.
• Out-of-Bounds Write Flaws: Previously ranked first, these issues dropped to second place.
• SQL Injection (SQLi): These bugs have maintained their third-place ranking.
• Path Traversal and Cross-Site Request Forgery (CSRF): Both have seen significant rises, climbing three and five places, respectively.
• Other Movers: Out-of-bounds read defects moved up one spot, while OS command injection and use-after-free vulnerabilities slipped in the rankings.

The top 10 weaknesses now include missing authorization (up from eleventh last year) and unrestricted file uploads, which held steady at tenth. Meanwhile, code injection vulnerabilities saw a significant rise, leaping from 23rd in 2023 to 11th in 2024.

New Entrants to the 2024 CWE Top 25

• Exposure of Sensitive Information: This category surged to 14th place, up from 30th last year.
• Uncontrolled Resource Consumption: Now ranked 24th, rising from 37th in 2023.

Conversely, weaknesses such as incorrect default permissions and race condition flaws fell off the top 25 list.

Exploitation and Ongoing Threats

Despite available and effective mitigation techniques, many well-known vulnerabilities persist in software. The Cybersecurity and Infrastructure Security Agency (CISA) routinely issues "Secure by Design" alerts to emphasize the need for eliminating such risks. Recent examples include:

• Path OS Command Injection Attacks: A July alert addressed vulnerabilities exploited by Chinese Velvet Ant state hackers, targeting devices from Cisco, Palo Alto, and Ivanti.
• SQL Injection (SQLi) and Path Traversal Risks: Alerts issued in March and May urged tech leaders to proactively prevent these vulnerabilities in software and development processes.
• Default Password Risks: CISA also highlighted the need for vendors to avoid shipping products with default credentials, which attackers have used in targeted Volt Typhoon operations against small office/home office (SOHO) routers.

Additionally, last week, the FBI, NSA, and Five Eyes cybersecurity agencies published a report listing the top 15 vulnerabilities most exploited in 2023. The report warned of an increase in zero-day vulnerabilities—security flaws disclosed but not yet patched—being targeted by attackers compared to 2022.

Easy Targets for Attackers

"Often easy to locate and exploit, these weaknesses allow adversaries to compromise systems, steal data, or disrupt applications," MITRE explained. Addressing the root causes of these vulnerabilities is critical, offering guidance to both industry and government stakeholders for preventing such issues from emerging.

Creating the Top 25 List

This year's list was compiled by analyzing 31,770 Common Vulnerabilities and Exposures (CVE) records reported in 2023 and 2024. MITRE prioritized weaknesses based on their severity and frequency, with special attention to those featured in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

“This annual list pinpoints the most critical software weaknesses exploited by adversaries to breach systems, steal sensitive data, or disrupt essential services,” said CISA.

Guidance for Organizations

Organizations are encouraged to review the list and incorporate its insights into their software security strategies. Prioritizing these weaknesses during development and procurement helps mitigate risks at the foundational level, reducing vulnerabilities throughout the software lifecycle.

By addressing these critical software issues, organizations can build a more secure digital environment and reduce exposure to cyber threats.