CWE Top 25: Where developers learn which mistakes not to repeat, and hackers learn where to focus their attention!
Introduction to CWEs
A weakness in cybersecurity refers to a flaw or shortcoming in a product application, framework, organization, or some other registering part that malignant actors might leverage to compromise the privacy, integrity, confidentiality, or accessibility of the product or service.
Weaknesses can exist in light of multiple factors, for example, programming blunders, planned/unplanned defects, misconfigurations, or even outdated software. When a weakness is taken advantage of, it can prompt a security break, permitting attackers to acquire unapproved access, execute code, steal sensitive data, disrupt functionality, or cause unwanted results.
It is fundamental for engineers, framework executives, and security experts to recognize and remediate weaknesses speedily to limit the abuse and safeguard the security of infrastructure and information. Fixing and patching programs consistently, following security best practices, and directing vulnerability evaluations and regular penetration testing engagements are standard techniques to address security weaknesses.
The Common Weakness Enumeration is a software community project to index the most common software weaknesses. The venture's objective is to identify the common defects in programming. They are frequently simple to find and simple to take advantage of. The CWE top 25 helps developers and security practitioners to:
Describe and discuss software and hardware weaknesses in a common language.
Check for flaws in existing software and hardware products.
Evaluate coverage of tools targeting these weaknesses.
Leverage a common baseline standard for weakness identification, mitigation, and prevention efforts.
Prevent software and hardware vulnerabilities before deployment.
Common Weaknesses Enumeration Top 25 2023 list
Out-of-bounds Write: CWE-787 (Unchanged)
Cross-site Scripting: CWE-79 (Unchanged)
SQL Injection: CWE-89 (Unchanged)
Use After Free: CWE-416 (Promoted)
Improper Neutralization of Special Elements used in an OS Command a.k.a. OS Command Injection: CWE-78 (Promoted)
Improper Input Validation: CWE-20 (Demoted)
Out-of-bounds Read: CWE-125 (Demoted)
Improper Limitation of a Pathname to a Restricted Directory a.k.a. Path Traversal: CWE-22 (Unchanged)
Cross-Site Request Forgery (CSRF): CWE-352 (Unchanged)
Unrestricted Upload of File with Dangerous Type: CWE-434 (Unchanged)
Missing Authorization: CWE-862 (Promoted)
NULL Pointer Dereference: CWE-476 (Demoted)
Improper Authentication: CWE-287 (Promoted)
Integer Overflow or Wraparound: CWE-190 (Demoted)
Deserialization of Untrusted Data: CWE-502 (Demoted)
Improper Neutralization of Special Elements used in a Command a.k.a. Command Injection: CWE-77 (Promoted)
Improper Restriction of Operations within the Bounds of a Memory Buffer: CWE-119 (Promoted)
Use of Hard-coded Credentials: CWE-798 (Demoted)
Server-Side Request Forgery (SSRF): CWE-918 (Promoted)
Missing Authentication for Critical Function: CWE-306 (Demoted)
Concurrent Execution using Shared Resource with Improper Synchronization a.k.a. Race Condition: CWE-362 (Promoted)
Improper Privilege Management: CWE-269 (New!)
Improper Control of Generation of Code Code Injection: CWE-94 (Promoted)
Incorrect Authorization: CWE-863 (New!)
Incorrect Default Permissions: CWE-276 (Demoted)
Note: Here, Promoted / Demoted is the rank denotation of the CWE concerning the previous 2022 year CWE Top 25 list.
CWE Top 25 2023 vs 2022
The 2023 CWE Top 25 rundown shows a few exciting changes contrasted with the 2022 list. The main three most hazardous software weaknesses continue as before (Unchanged), with CWE-787 (Out-of-bounds Write), CWE-79 (Cross-Site Scripting XSS), and CWE-89 ( SQL Command, or 'SQL Injection') holding their positions.
Conversely, there have been outstanding changes in the rankings of different weaknesses outside the top 3. For instance, CWE-416 (Use After Free) has scaled three spots to the fourth position, and CWE-78 (OS Command, or 'OS Command Injection') has climbed one place to the fifth. On the other hand, CWE-20 (Improper Input Validation) and CWE-125 (Out-of-bounds Read) have dropped two spots to the sixth and seventh positions, individually.
Further down the list, CWE-862 (Missing Authorization) has taken a considerable jump, climbing five spots to the eleventh position. This vertical pattern shows an expansion in the number of occurrences where a software product fails to ensure an actor is authorized to act, leading to potential security risks. The positioning change is possible because frameworks have evolved to be progressively complicated and interconnected. As we integrate more management and capabilities into our computerized frameworks, the requirement for proper admin controls becomes quintessential.
Then again, CWE-269, or Improper Privilege Management, has seen a critical ascent of 7 positions this year. This weakness happens when a framework awards privileges or consents to an actor, possibly prompting unapproved activities.
Real-World trends in Top 25 CWEs: from 2019 to 2023
Consistent Uptrending Vulnerabilities
CWE-862 Absence of Authorization - Initially positioned at the 36th in 2019, CWE-862 teetered on the edge of inclusion. It officially entered the CWE Top 25 in 2020, securing the 25th position, and has consistently advanced each subsequent year. As of 2023, it holds the 11th rank, the highest among those consistently ascending. This pattern may imply that developers are not uniformly applying authorization methods when required, despite the weakness in the CWE Top 25 since 2020. The community must maintain vigilance in the implementation of authorization practices.
CWE-918 Server-Side Request Forgery (SSRF) - In 2019, CWE-918 held the 32nd rank, similarly poised at the threshold. It formally joined the CWE Top 25 in 2021, positioned at 24th. While this CWE hasn't experienced as significant a climb in ranking as CWE-862, it has steadily risen to 19th place in 2023.
CWE-639 Authorization Bypass Through User-Controlled Key - Starting well beyond the top 40 in 2019, CWE-639 embarked on a consistent ascent through the subsequent years, eventually reaching the 38th rank in 2023. This marks the first time CWE-639 finds itself "on the cusp." Given its upward trajectory, closely monitoring its further progression will be intriguing.
Other CWEs that have experienced upward movement in their rankings have maintained a consistent trajectory, avoiding any instances of descending in rank. However, they have encountered at least one year in which their order remained unchanged. While these patterns lack the same degree of regularity as those CWEs continually increasing their hierarchies, they offer intriguing observations. The following CWEs fall into this category:
CWE-787 Out-of-bounds Write - This vulnerability has risen from the 12th to the 1st position since 2019. Notably, it leaped to the 2nd rank in 2020 and has held 1st since 2021.
CWE-434 Unrestricted Upload of File with Dangerous Type - Progressing from the 16th to the 10th spot since 2019.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command a.k.a. 'SQL Injection' - Advancing from the 6th to the 3rd position since 2019.
Consistent Downward Movers
Weaknesses that have exhibited a declining trend in their rankings suggest improved awareness and mitigation within the community. However, it is essential to note that some of these vulnerabilities remain within the CWE Top 25 list. Despite the positive trajectory, IT professionals should recognize the significance of these vulnerabilities. Below, we elaborate on the weaknesses that have experienced a consistent downward trend in their rankings.
CWE-190 Integer Overflow or Wraparound - In 2019, CWE-190 held the 8th position in the rankings, which has since shifted to the 14th as of 2023. Although this change's magnitude is relatively minimal compared to other vulnerabilities on this list, its consistent presence within the Top 25 over the years is noteworthy. Regardless of the factors contributing to this declining trend, the current ranking underscores the ongoing need for heightened awareness and mitigation efforts within the community.
CWE-732 Incorrect Permission Assignment for Critical Resource - Initially ranked 15th in 2019, CWE-732 has now fallen to 31st in the 2023 rankings. Notably, it dropped out of the Top 25 in 2022 and experienced only slightly declined in rank in 2023. The exact causes behind this consistent decline are challenging to ascertain, but one possible explanation could be an increased emphasis on accurately aligning access control CWEs.
CWE-611 Improper Restriction of XML External Entity Reference - Starting as the 17th-ranked weakness in 2019, CWE-611's ranking gradually slipped to 28th in 2023. Although the decline has been gradual and relatively modest, it is significant that this vulnerability has recently fallen out of the CWE Top 25 this year.
CWE-426 Untrusted Search Path - Among the consistently downward trending vulnerabilities, CWE-426 has experienced the most substantial decline. Beginning at the 22nd rank in 2019, it progressively dropped out of the Top 40 as of 2021. Notably, this case is unusual as it involves a former CWE Top 25 weakness now well below the threshold. While the decline was just by four ranks between 2019 and 2020, the ranking continued to slide consistently. This downtrend can be attributed to a more accurate categorization of vulnerabilities under CWE-427: Uncontrolled Search Path Element, which moved from being outside the Top 25 in 2019 to the 27th position in 2023. Given the similarities between these two CWEs, extra caution has been exercised in recent years to ensure proper mapping of CVE records between them.
Register for instructor-led online courses today!
Check out our free programs!