Common Weakness Enumeration

2023 CWE Top 10 KEV Weaknesses List Insights

In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) began publishing the “Known Exploited Vulnerabilities (KEV) Catalog.” Entries in this catalog are vulnerabilities that have been reported through the Common Vulnerabilities and Exposures (CVE®) program and are observed to be (or have been) actively exploited. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

What CWE Analysis Shows Us About Known Exploited Vulnerabilities

A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs. In general, CWE(s) describe the root cause(s) of vulnerabilities.

The CWE Top 25 is an annual list of the weaknesses responsible for the most prevalent and severe CVE Records. Prevalence is measured by the number of CVE Records in the dataset whose root cause correlate with a particular CWE, and severity is measured by calculating the average CVSS score for those CVE Records. But whether a vulnerability is being actively exploited is not a required part of the vulnerability reporting process (i.e., CVE Reporting procedures).

By examining the CWE root cause mappings of vulnerabilities known to have been exploited in the wild, we gain new insight into what weaknesses adversaries exploit (as opposed to those most often reported by developers and researchers). 289 CVE Records were analyzed, comprising all the 2021 and 2022 CVE Records in the KEV catalog (as of March 27, 2023, the day all NVD data was pulled for the 2023 CWE Top 25). Together with the 2023 CWE Top 25, the first ever Top 10 KEV Weaknesses List (using the same scoring methodology used for the 2023 Top 25) provides further information that organizations can use in their efforts to mitigate risk.

Analysis

In early 2023, View-1400: Comprehensive Categorization for Software Assurance Trends was published on the CWE website to group all entries into categories of interest for large-scale software assurance research. This was both to support efforts to eliminate weaknesses using tactics such as secure language development as well as to help track weakness trends in publicly disclosed vulnerability data. The pie chart on the right shows the percentage of weakness categories for all CWE mappings in the 2023 CWE Top 10 KEV Weaknesses list.

Percent of 2023 CWE Top 10 KEV Weaknesses by CWE Category ×

The treemap chart on the right combines the CWE Top 10 KEV Weaknesses’ categories with the individual CWE entries’ analysis scores. Note that the top 3 entries in the CWE Top 10 KEV Weaknesses are related to Memory Safety.

2023 CWE Top 10 KEV Weaknesses List Insights ×

CWE Top 25 vs. CWE KEV Top 10 Comparison

There are several interesting differences between the sets of CWEs appearing in the CWE Top 10 KEV Weaknesses and the 2023 CWE Top 25. As shown below, some weakness types scored lower in the 2023 CWE Top 25 but higher in the Top 10 KEV Weaknesses. A dash indicates the weakness was not present in the 2023 CWE Top 25.

Other weaknesses that appeared in the 2023 CWE Top 25 do not appear in Top 10 KEV Weaknesses at all:

Many factors can account for these differences. These include, but are not limited to, the types of vulnerabilities that are:

• easily found by code scanning tools
• easiest to exploit
• have the most desirable impact for adversaries that exploit them

Reported vulnerabilities as noted in the CWE Top 25 are important to understand, but coupled with knowledge of exploitation offers a new level of information that helps inform system development environments with operational realities.