Critical Threat Intelligence & Advisory Summaries
2025 CWE Top 25 Most Dangerous Software Weaknesses
Hackerstorm Threat Intelligence
CISA in collaboration with HSSEDI and MITRE Corporation has released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses
Background
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by the MITRE Corporation, has released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical weaknesses adversaries exploit to compromise systems, steal data, or disrupt services.
Top 25 Table:
| Rank | ID | Name | Score | CVEs in KEV |
Rank Change vs. 2024 |
|---|---|---|---|---|---|
| 1 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 60.38 | 7 | 0 |
| 2 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 28.72 | 4 | +1 |
| 3 | CWE-352 | Cross-Site Request Forgery (CSRF) | 13.64 | 0 | +1 |
| 4 | CWE-862 | Missing Authorization | 13.28 | 0 | +5 |
| 5 | CWE-787 | Out-of-bounds Write | 12.68 | 12 | -3 |
| 6 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 8.99 | 10 | -1 |
| 7 | CWE-416 | Use After Free | 8.47 | 14 | +1 |
| 8 | CWE-125 | Out-of-bounds Read | 7.88 | 3 | -2 |
| 9 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 7.85 | 20 | -2 |
| 10 | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 7.57 | 7 | +1 |
| 11 | CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | 6.96 | 0 | N/A |
| 12 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 6.87 | 4 | -2 |
| 13 | CWE-476 | NULL Pointer Dereference | 6.41 | 0 | +8 |
| 14 | CWE-121 | Stack-based Buffer Overflow | 5.75 | 4 | N/A |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.23 | 11 | +1 |
| 16 | CWE-122 | Heap-based Buffer Overflow | 5.21 | 6 | N/A |
| 17 | CWE-863 | Incorrect Authorization | 4.14 | 4 | +1 |
| 18 | CWE-20 | Improper Input Validation | 4.09 | 2 | -6 |
| 19 | CWE-284 | Improper Access Control | 4.07 | 1 | N/A |
| 20 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 4.01 | 1 | -3 |
| 21 | CWE-306 | Missing Authentication for Critical Function | 3.47 | 11 | +4 |
| 22 | CWE-918 | Server-Side Request Forgery (SSRF) | 3.36 | 0 | -3 |
| 23 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 3.15 | 2 | -10 |
| 24 | CWE-639 | Authorization Bypass Through User-Controlled Key | 2.62 | 0 | +6 |
| 25 | CWE-770 | Allocation of Resources Without Limits or Throttling | 2.54 | 0 | +1 |
CISA Reccomendations for Stakeholders:
- For Developers and Product Teams: Review the 2025 CWE Top 25 to identify high-priority weaknesses and adopt Secure by Design practices in development.
- For Security Teams: Incorporate the Top 25 into vulnerability management and application security testing to assess and mitigate critical weaknesses.
- For Procurement and Risk Managers: Use the Top 25 as a benchmark when evaluating vendors and apply Secure by Demand guidelines to ensure investment in secure products.
Article Information:
Release Date: 12-December-2025
Source: Mitre - https://cwe.mitre.org
Source: CISA - https://www.cisa.gov/news-events/alerts/2025/12/11/2025-cwe-top-25-most-dangerous-software-weaknesses
CWE License: https://cwe.mitre.org/about/termsofuse.html