MITRE has shared this 12 months’s high 25 listing of the commonest and harmful software program weaknesses behind greater than 31,000 vulnerabilities disclosed between June 2023 and June 2024.
Software program weaknesses seek advice from flaws, bugs, vulnerabilities, and errors present in software program’s code, structure, implementation, or design.
Attackers can exploit them to breach programs the place the susceptible software program is operating, enabling them to realize management over affected gadgets and entry delicate knowledge or set off denial-of-service assaults.
“Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working,” MITRE mentioned right this moment.
“Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place — benefiting both industry and government stakeholders.”
To create this 12 months’s rating, MITRE scored every weak spot based mostly on its severity and frequency after analyzing 31,770 CVE information for vulnerabilities that “would benefit from re-mapping analysis” and reported throughout 2023 and 2024, with a concentrate on safety flaws added to CISA’s Identified Exploited Vulnerabilities (KEV) catalog.
“This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services,” CISA added right this moment.
“Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”
| Rank | ID | Title | Rating | KEV CVEs | Change |
|---|---|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 56.92 | 3 | +1 |
| 2 | CWE-787 | Out-of-bounds Write | 45.20 | 18 | -1 |
| 3 | CWE-89 | SQL Injection | 35.88 | 4 | 0 |
| 4 | CWE-352 | Cross-Web site Request Forgery (CSRF) | 19.57 | 0 | +5 |
| 5 | CWE-22 | Path Traversal | 12.74 | 4 | +3 |
| 6 | CWE-125 | Out-of-bounds Learn | 11.42 | 3 | +1 |
| 7 | CWE-78 | OS Command Injection | 11.30 | 5 | -2 |
| 8 | CWE-416 | Use After Free | 10.19 | 5 | -4 |
| 9 | CWE-862 | Lacking Authorization | 10.11 | 0 | +2 |
| 10 | CWE-434 | Unrestricted Add of File with Harmful Sort | 10.03 | 0 | 0 |
| 11 | CWE-94 | Code Injection | 7.13 | 7 | +12 |
| 12 | CWE-20 | Improper Enter Validation | 6.78 | 1 | -6 |
| 13 | CWE-77 | Command Injection | 6.74 | 4 | +3 |
| 14 | CWE-287 | Improper Authentication | 5.94 | 4 | -1 |
| 15 | CWE-269 | Improper Privilege Administration | 5.22 | 0 | +7 |
| 16 | CWE-502 | Deserialization of Untrusted Knowledge | 5.07 | 5 | -1 |
| 17 | CWE-200 | Publicity of Delicate Info to an Unauthorized Actor | 5.07 | 0 | +13 |
| 18 | CWE-863 | Incorrect Authorization | 4.05 | 2 | +6 |
| 19 | CWE-918 | Server-Aspect Request Forgery (SSRF) | 4.05 | 2 | 0 |
| 20 | CWE-119 | Improper Operations Restriction in Reminiscence Buffer Bounds | 3.69 | 2 | -3 |
| 21 | CWE-476 | NULL Pointer Dereference | 3.58 | 0 | -9 |
| 22 | CWE-798 | Use of Exhausting-coded Credentials | 3.46 | 2 | -4 |
| 23 | CWE-190 | Integer Overflow or Wraparound | 3.37 | 3 | -9 |
| 24 | CWE-400 | Uncontrolled Useful resource Consumption | 3.23 | 0 | +13 |
| 25 | CWE-306 | Lacking Authentication for Crucial Perform | 2.73 | 5 | -5 |
CISA additionally usually releases “Secure by Design” alerts highlighting the prevalence of broadly identified and documented vulnerabilities which have but to be eradicated from software program regardless of out there and efficient mitigations.
Some have been issued in response to ongoing malicious exercise, like a July alert asking distributors to get rid of path OS command injection vulnerabilities exploited by Chinese language Velvet Ant state hackers in latest assaults focusing on Cisco, Palo Alto, and Ivanti community edge gadgets.
In Could and March, the cybersecurity company printed two extra “Secure by Design” alerts urging tech executives and software program builders to stop path traversal and SQL injection (SQLi) vulnerabilities of their merchandise and code.
CISA additionally urged tech distributors to cease transport software program and gadgets with default passwords and small workplace/house workplace (SOHO) router producers to safe them in opposition to Volt Hurricane assaults.
Final week, the FBI, the NSA, and 5 Eyes cybersecurity authorities launched an inventory of the high 15 routinely exploited safety vulnerabilities final 12 months, warning that attackers targeted on focusing on zero-days (safety flaws which have been disclosed however are but to be patched).
“In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day,” they cautioned.
