MITRE has shared this yr’s high 25 checklist of the commonest and harmful software program weaknesses behind greater than 31,000 vulnerabilities disclosed between June 2023 and June 2024.
Software program weaknesses seek advice from flaws, bugs, vulnerabilities, and errors present in software program’s code, structure, implementation, or design.
Attackers can exploit them to breach methods the place the weak software program is operating, enabling them to realize management over affected gadgets and entry delicate information or set off denial-of-service assaults.
“Usually simple to seek out and exploit, these can result in exploitable vulnerabilities that enable adversaries to fully take over a system, steal information, or forestall purposes from working,” MITRE mentioned at this time.
“Uncovering the foundation causes of those vulnerabilities serves as a strong information for investments, insurance policies, and practices to forestall these vulnerabilities from occurring within the first place — benefiting each trade and authorities stakeholders.”
To create this yr’s rating, MITRE scored every weak spot based mostly on its severity and frequency after analyzing 31,770 CVE data for vulnerabilities that “would profit from re-mapping evaluation” and reported throughout 2023 and 2024, with a give attention to safety flaws added to CISA’s Recognized Exploited Vulnerabilities (KEV) catalog.
“This annual checklist identifies essentially the most essential software program weaknesses that adversaries ceaselessly exploit to compromise methods, steal delicate information, or disrupt important providers,” CISA added at this time.
“Organizations are strongly inspired to assessment this checklist and use it to tell their software program safety methods. Prioritizing these weaknesses in improvement and procurement processes helps forestall vulnerabilities on the core of the software program lifecycle.”
| Rank | ID | Title | Rating | KEV CVEs | Change |
|---|---|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 56.92 | 3 | +1 |
| 2 | CWE-787 | Out-of-bounds Write | 45.20 | 18 | -1 |
| 3 | CWE-89 | SQL Injection | 35.88 | 4 | 0 |
| 4 | CWE-352 | Cross-Website Request Forgery (CSRF) | 19.57 | 0 | +5 |
| 5 | CWE-22 | Path Traversal | 12.74 | 4 | +3 |
| 6 | CWE-125 | Out-of-bounds Learn | 11.42 | 3 | +1 |
| 7 | CWE-78 | OS Command Injection | 11.30 | 5 | -2 |
| 8 | CWE-416 | Use After Free | 10.19 | 5 | -4 |
| 9 | CWE-862 | Lacking Authorization | 10.11 | 0 | +2 |
| 10 | CWE-434 | Unrestricted Add of File with Harmful Sort | 10.03 | 0 | 0 |
| 11 | CWE-94 | Code Injection | 7.13 | 7 | +12 |
| 12 | CWE-20 | Improper Enter Validation | 6.78 | 1 | -6 |
| 13 | CWE-77 | Command Injection | 6.74 | 4 | +3 |
| 14 | CWE-287 | Improper Authentication | 5.94 | 4 | -1 |
| 15 | CWE-269 | Improper Privilege Administration | 5.22 | 0 | +7 |
| 16 | CWE-502 | Deserialization of Untrusted Knowledge | 5.07 | 5 | -1 |
| 17 | CWE-200 | Publicity of Delicate Data to an Unauthorized Actor | 5.07 | 0 | +13 |
| 18 | CWE-863 | Incorrect Authorization | 4.05 | 2 | +6 |
| 19 | CWE-918 | Server-Aspect Request Forgery (SSRF) | 4.05 | 2 | 0 |
| 20 | CWE-119 | Improper Operations Restriction in Reminiscence Buffer Bounds | 3.69 | 2 | -3 |
| 21 | CWE-476 | NULL Pointer Dereference | 3.58 | 0 | -9 |
| 22 | CWE-798 | Use of Exhausting-coded Credentials | 3.46 | 2 | -4 |
| 23 | CWE-190 | Integer Overflow or Wraparound | 3.37 | 3 | -9 |
| 24 | CWE-400 | Uncontrolled Useful resource Consumption | 3.23 | 0 | +13 |
| 25 | CWE-306 | Lacking Authentication for Vital Operate | 2.73 | 5 | -5 |
CISA additionally frequently releases “Safe by Design” alerts highlighting the prevalence of broadly recognized and documented vulnerabilities which have but to be eradicated from software program regardless of accessible and efficient mitigations.
Some have been issued in response to ongoing malicious exercise, like a July alert asking distributors to eradicate path OS command injection vulnerabilities exploited by Chinese language Velvet Ant state hackers in current assaults focusing on Cisco, Palo Alto, and Ivanti community edge gadgets.
In Could and March, the cybersecurity company revealed two extra “Safe by Design” alerts urging tech executives and software program builders to forestall path traversal and SQL injection (SQLi) vulnerabilities of their merchandise and code.
CISA additionally urged tech distributors to cease delivery software program and gadgets with default passwords and small workplace/house workplace (SOHO) router producers to safe them towards Volt Hurricane assaults.
Final week, the FBI, the NSA, and 5 Eyes cybersecurity authorities launched a listing of the high 15 routinely exploited safety vulnerabilities final yr, warning that attackers targeted on focusing on zero-days (safety flaws which were disclosed however are but to be patched).
“In 2023, the vast majority of essentially the most ceaselessly exploited vulnerabilities had been initially exploited as a zero-day, which is a rise from 2022, when lower than half of the highest exploited vulnerabilities had been exploited as a zero-day,” they cautioned.