Voyager18 (research)

CWE top 25 most dangerous software weaknesses in 2022 - what they mean

Here's everything you need to know about MITRE's CWE top 25 - the methodology behind the rankings, and what it means for your organization.

Tal Morgenstern | July 07, 2022

As application development accelerates, so must security within this environment. Fortunately, there are many tools and resources to help security teams navigate the increasing threatscape of application security, not least from MITRE, who have released their latest list of software vulnerabilities. 

Here’s everything you need to know about the 2022 CWE top 25 most dangerous software weaknesses. 

What is the CWE top 25? 

Each year, MITRE charts the most dangerous software weaknesses, decided according to their commonality and impact. 

Clarity into these weaknesses is of vital importance for organizations constantly updating and releasing new software. The CWE top 25 provides key insights into some of the most pressing concerns relating to application security and cyber risk.  

To quote MITRE: 

“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).”

In short, the CWE top 25 serves as an invaluable resource as companies scale their application security efforts. 

MITRE’s methodology for the CWE top 25 

The list was developed through looking at public vulnerability from the NVD. Once the data is obtained, MITRE used a scoring formula to rank the CWEs according to frequency and CVSS severity score

MITRE details its full methodology for identifying the top CWEs here

But in short: 

“The NVD obtains vulnerability data from CVE and then supplements it with additional analysis and information including a mapping to one or more weaknesses, and a CVSS score, which is a numerical score representing the potential severity of a vulnerability based upon a standardized set of characteristics about the vulnerability.”

 The CWE Top 25 leverages NVD data with CVE IDs from the last two years, downloaded four different times.

 The Top 25 team analyzes a subset of CVE records and performs remappings that either change or agree with the existing CWE mappings found within NVD, using the lowest-level CWEs available. 

CWE top 25

CWEs to watch

For the second year in a row, CWE-787 (“Out-of-bound Write”) takes first place in the list. So if teams weren’t watching it before, they certainly should be. 

CWE-787 is a security vulnerability that allows an attacker to inject arbitrary code into a program, which is then executed by the program. This can be used to take control of the program, and potentially the entire system. 

There is no one-size-fits-all solution to this problem, as the best way to fix it will vary depending on the specific circumstances. However, some general tips that may be helpful include:

  1. Make sure that all input is properly validated.
  2. Use a whitelist approach to input validation, rather than a blacklist.
  3. Avoid using eval() or other similar functions that can execute arbitrary code.
  4. If possible, use a sandboxed environment for any code that needs to be executed.

In addition, we can see that CWE-77 jumped 8 places. CWE-77 is a security issue that allows an attacker to inject code into a web application. This can allow the attacker to take control of the web application and possibly the server that it is running on. CWE-77 can be mitigated by validating all user input

Finally, CWE-362, CWE-400, and CWE-94 were added to the table this year, and teams should keep a close eye on developments here: 

CWE-362 is a security flaw that can allow an attacker to modify data in a user’s session without the user’s knowledge or permission. This type of attack is also known as a “cross-site scripting” (XSS) attack. There is no specific fix for CWE-362, but developers can take measures to prevent it from happening. One precaution that can be taken is not to store sensitive information in memory where it may be accessible to an attacker. Another measure that can be taken is to encrypt stored data so that it is more difficult for an attacker to access it.

CWE-400 is a security weakness that can be exploited to allow unauthorized access to sensitive information. It is typically caused by incorrect permissions or a lack of proper authentication controls. There is no single “fix” for CWE-400. Instead, organizational policies and processes should be put in place to ensure that all system configuration files are properly secured. Additionally, security training should be provided to all staff who have access to configuration files.

CWE-94 is a classification for Improper Control of Generated Code (‘Injection’) weaknesses. Injection flaws occur when untrusted input is used to dynamically generate content that is later executed by the application. This can allow an attacker to execute malicious code within the application context, potentially leading to a compromise of the application or data. The best way to fix this issue is to update the software or library that is vulnerable. If updating is not possible, then you should use input validation to ensure that all user input is valid and within expectations.

The list of the top 25 CWEs represents the application vulnerabilities most exploited in attacks and deserving of attention from security teams. Compared to last year, CWE-200, CWE-522 and CWE-732 have been replaced by CWE-362, CWE-400, and CWE-94 respectively.  

Nonetheless, MITRE recommends also addressing vulnerabilities ranking 26-40 as all weaknesses could become exploitable in the right circumstances. 

Next steps

At Vulcan Cyber, we celebrate any effort to shed light on key cyber security concerns facing our industry. Meeting our end of the bargain, we provide comprehensive resources and tools to our community for better understanding, prioritizing, and reducing cyber risk. Get all of our updates and be part of the conversation by joining our Slack channel

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy