News & Events - 2023 ArchiveRight-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org. “2023 CWE Top 10 KEV Weaknesses” List Now Available! December 14, 2023 | Share this article The “2023 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities (KEV) Catalog,” is now available on the CWE website. The KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. Each vulnerability listed in KEV is identified by, and links to, a CVE Record. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise. Our analysis/key insights about the 2023 Top 10 KEV Weaknesses list are available here, and our methodology for creating the list is here. Cookie Notice and Ability for Visitors to Manage Cookies Added to CWE Website December 14, 2023 | Share this article The CWE Program has added a Cookie Notice that explains how cookies are used on the cwe.mitre.org website as well as the ability for website visitors to Manage Cookies in the footer. Both links are available in the CWE website footer. CWE Program Privacy Policy Updated December 14, 2023 | Share this article We have updated the CWE Program Privacy Policy. The updated policy is available here. The link is available in the CWE website footer. CWE Version 4.13 Now Available October 26, 2023 | Share this article CWE Version 4.13 has been posted on the CWE List page and includes a number of exciting updates. There is 1 new weakness entry for Incorrect Initialization of Resource, a weakness class with five more specific, child weaknesses. Products with this weakness in their design or implementation might leave software or hardware resources in an unexpected, incorrect, or insecure state when accessed. This can lead to vulnerabilities with a variety of negative outcomes including the loss of data and application confidentiality and intended authorization controls. CWE 4.13 also includes changes to 148 CWEs to include observed examples of weaknesses in the wild, which are a direct result of analyzing CVE Records as part of the 2023 CWE Top 25 effort, community collaboration, or highlighting canonical examples in parent CWEs. In addition, demonstrative examples were added to 56 CWEs, including 9 resulting from collaboration with Hardware CWE Special Interest Group (HW CWE SIG) members. These provide valuable illustrations of specific hardware weaknesses including Verilog hardware description language for fictitious System on Chip (SoC) devices, such as:
The entire list of new software/hardware examples is available here. A detailed report is available that lists specific changes between Version 4.12 and Version 4.13. The schema was updated from version 7.0 to version 7.1 to update the recently added “Mapping_Notes” element to required for Weaknesses, Categories, and Views and to update the “Consequence” element to require an “Impact”. View the schema difference report. Summary: There are 934 weaknesses and a total of 1,421 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.12_v4.13.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on @cwecapec on X (formerly Twitter), and on @CWE_Program on Mastodon. Please contact us with any comments or concerns. Follow CWE on Mastodon! October 26, 2023 | Share this article The CWE Program is now on Mastodon! Please follow us for new version release announcements, updates on community activities, news, and more at https://mastodon.social/@CWE_Program. Stubborn Weaknesses in the CWE Top 25 (Updated) August 22, 2023 (Updated September 19, 2023) | Share this article Fifteen CWEs have appeared in every “CWE Top 25 Most Dangerous Software Weaknesses” list since 2019. We take an investigative look and provide links to potential mitigations on the Stubborn Weaknesses in the CWE Top 25 page. CWE Top 25 Weaknesses Trends from 2019 Through 2023 Now Available August 1, 2023 | Share this article In order to identify interesting trends in real-world, exploitable weaknesses that can inform security policy and investment decision-making, the CWE Program tracks how the CWEs on the “CWE Top 25 Most Dangerous Software Weaknesses” list change rank from year to year. For the 2023 CWE Top 25 list, we observed both upward and downward trends in CWE rankings as noted on the Trends in Real-World CWEs: 2019 to 2023 page. Red Hat Publishes Two Blogs Advocating the Use of CWE July 25, 2023 | Share this article Red Hat, Inc. has recently published two blogs advocating the use of CWE:
Read both articles on the Red Hat blog. 2023 CWE Top 25 Weaknesses “On the Cusp” List Now Available July 13, 2023 | Share this article A list of the fifteen additional weaknesses that were “on the cusp” of being included in the “2023 CWE Top 25 Most Dangerous Software Weaknesses” list is now available on the 2023 “On the Cusp” List page. These CWEs, ranked in positions 26-40, were not included in the 2023 CWE Top 25 but continue to be prevalent and severe enough to cause concern. View the 2023 On the Cusp Insights. 
2023 “CWE Top 25” Now Available! June 29, 2023 | Share this article The “2023 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses” (2023 CWE Top 25) is now available on the CWE website! The CWE Top 25 is calculated by analyzing public vulnerability data in the National Institute of Standards and Technology’s (NIST) U.S. National Vulnerability Database (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working. The 2023 CWE Top 25 also incorporates updated weakness data for recent Common Vulnerabilities and Exposures (CVE®) records in the dataset that are part of Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog. Trend analysis on vulnerability data like this enables organizations to make better investment and policy decisions in vulnerability management. Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. Over the coming weeks, the CWE Program will be publishing a series of further articles and useful information to help illustrate how vulnerability management plays an important role in shifting the balance of cybersecurity risk. These include:
What’s Changed There are several notable shifts in ranked positions of weakness types from last year's list, including weaknesses dropping away or making their first appearance in a CWE Top 25. Weakness types moving higher on the list include CWE-416: Use After Free, CWE-862: Missing Authorization, CWE-269: Improper Privilege Management, and CWE-863: Incorrect Authorization, while CWE-502: Deserialization of Untrusted Data, CWE-798: Use of Hardcoded Credentials, and CWE-276: Incorrect Default Permissions moved down. Two weaknesses fell of the Top 25 list this year, CWE-400: Improper Restriction of XML External Entity Reference and CWE-611: Improper Restriction of XML External Entity Reference. Visit the Key Insights page for additional information. Leveraging Real-World Data To create the 2023 list, the CWE Program leveraged CVE Record data found within NVD and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE Record, including a focus on CVE Records from the KEV Catalog. A formula was then applied to the data to score each weakness based on prevalence and severity. The 2023 CWE Top 25 leverages NVD data from the years 2021 and 2022. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities’ exploitation as measured by CVSS. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen. For more information about how the list was created and the ranking methodology, visit the Methodology: How the 2023 CWE Top 25 Most Dangerous Software Weaknesses Was Created page. Be sure to also check out the CWE Top 25 page in the coming weeks for additional articles and insight. Feedback Welcome Please send any feedback or questions to the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or contact us directly. CWE Version 4.12 Now Available June 29, 2023 | Share this article CWE Version 4.12 has been posted on the CWE List page to add support for the recently released “2023 CWE Top 25 Most Dangerous Software Weaknesses” list, among other updates. A detailed report is available that lists specific changes between Version 4.11 and Version 4.12. Main Changes: CWE 4.12 includes the addition of 1 new view to support the release of the 2023 CWE Top 25. The software weakness types included in the 2023 CWE Top 25 also include observed examples drawn from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog to show relevance to real-world exploits. A new section has been added to all CWE entries - Vulnerability Mapping Notes. These notes should enable users to more accurately map vulnerabilities (e.g., CVEs) to their root cause weaknesses. Previously, mapping notes were only available in the Notes section for a small number of CWE entries. CWE 4.12 includes contributions from across the CWE community. Some CWE entries were updated to include industrial control systems (ICS)/operational technology (OT)-specific details including mappings to the ISA/IEC 62443 standard and categories of ICS/OT vulnerabilities, as contributed by the “Mapping CWE” and “Boosting CWE” subgroups of the CWE ICS/OT SIG. CWE 4.12 also adds hardware-specific demonstrative examples derived from Hack@DAC 2019, with input from Technical University of Darmstadt, Texas A&M University, and the Hardware CWE Special Interest Group (HW CWE SIG). One new view added: There were multiple schema updates in the upgrade to the new 7.0 Schema. Summary: There are 933 weaknesses and a total of 1,420 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.11_v4.12.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. Enhancing Automotive Security with CWE May 10, 2023 | Share this article “Enhancing Automotive Security with CWE” is the title and main topic a May 4, 2023 article by Anders Nordstrom on the Cycuity Blog. In the article, the author discusses the unique aspects automotive electronics security (long life span, physical security, increased safety risks), the importance of industry standards for security, and how to leverage CWE for automotive. The author also provides a list of the current top CWEs relevant to automotive security and discusses potential examples of each. Those most relevant CWE are:
The author states: “The cybersecurity of the electronics used in automotive designs is crucial and must be considered very early during the architecture and design phase of development. An important set of guideposts for this process can be found in the CWE (Common Weakness Enumeration). The CWE list provides a solid framework for preventing security vulnerabilities during hardware development. By utilizing CWE, developers can take proactive measures to identify and address potential weak spots before they become security risks.” Read the full article here. “Designing and Building More Secure Hardware with CWE” Talk at IEEE HOST 2023 May 01, 2023 | Share this article CWE for hardware was the main topic of a talk entitled “Designing and Building More Secure Hardware with CWE™ - A Year in Review” on May 1, 2023 at IEEE HOST 2023 in San Jose, California, USA. Presented by CWE Board member Jason Oberg of Cycuity and Bob Heinemann of the CWE Program, the abstract for the talk is as follows: “Common Weakness Enumeration (CWE™) was first introduced in 2006 as a community-developed method for cataloging security weaknesses in software to provide a consistent language for the industry to talk about the root-cause mistakes that lead to vulnerabilities. By providing a public list of common software weaknesses, the software industry widely adopted CWE to prioritize the weaknesses that were most relevant for their products, effectively ranking the highest impact weaknesses, and ultimately providing the basis of building a security development lifecycle for software. The use of CWE continues to become more pervasive in the software security community. In February 2020, CWE expanded its scope into hardware weaknesses for the first time. It currently enumerates over 100 hardware weaknesses across 13 different categories and is a promising start to provide an industry-aligned initiative to build more secure hardware. However, there is much for the industry to learn to use CWE effectively. In 2022, we introduced hardware CWE to the HOST community through a tutorial and the presentations were well received. Since this last tutorial, there have been significant improvements and changes in the hardware CWE program. This 2023 version of the tutorial will expand on the presentations in 2022 to showcase new developments in Hardware CWE that have happened over the last year.” CWE Version 4.11 Now Available April 27, 2023 | Share this article CWE Version 4.11 has been posted on the CWE List page. There is one new view, Comprehensive Categorization for Software Assurance Trends View that places all weaknesses into groupings to facilitate analysis of trends and priorities in software assurance; 23 new categories related to the new view; updates to the Software Development View and Weaknesses Introduced During Design View; updates to many CWEs to include industrial control systems (ICS)/operational technology (OT)-specific details including mappings to the ISA/IEC 62443 standard and categories of ICS/OT vulnerabilities, as contributed by the “Mapping CWE” and “Boosting CWE” subgroups of the CWE ICS/OT SIG; and a major addition to the content-viewing filters that allows a user to make custom selections for viewing CWE content. Significant changes for CWE 4.11 include:
A detailed report is available that lists specific changes between Version 4.10 and Version 4.11. There were no schema updates. Summary: There are 933 weaknesses and a total of 1,419 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.10_v4.11.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. Choose How You View CWE Weaknesses Using the New “Custom” Filter April 27, 2023 | Share this article The CWE Team, in collaboration with the CWE/CAPEC User Experience Working Group (UEWG), has updated how users can view Weaknesses by adding new a “Custom” filter that allows users to choose from a list of options to display only those weakness details that are most relevant to them. The previously released Conceptual, Operational, Mapping Friendly, and Complete (Default) presentation filters remain available for viewing CWE content. The options currently available for specifying custom filtering are noted below: 
This new filter works with all CWE weakness entries. Try it now on these examples: CWE-79 or CWE-89. We plan to continue updating the visible fields in collaboration with the UEWG. Join today to provide your feedback, or contact us at cwe@mitre.org. How the Community Uses the CWE List Based Upon User Personas April 27, 2023 | Share this article The CWE Program, in collaboration with the User Experience Working Group (UEWG), has defined a set of “CWE User Personas” that identify CWE users and associated “CWE User Stories” that outline how CWE can be used and the benefits that can be obtained. The goal is to educate the CWE community on how CWE is used by different stakeholders. Six initial CWE user personas are identified below, of which, four have defined user story examples. User stories for the remaining two user personas are under development. Additional user personas and user stories, and any updates, will be included as part of future CWE releases. The currently identified CWE user personas are:
Visit the CWE User Stories page to view user stories for the personas above. “New to CWE” Page Will Help You Get Started with CWE April 27, 2023 | Share this article Common Weakness Enumeration (CWE™) can be difficult to understand for the average person and can even be overwhelming to a seasoned IT industry veteran. The new “New to CWE” page on the CWE website offers some tips on how to familiarize yourself with what CWE has to offer before more fully exploring this extensive knowledge base. The new page provides answers to these four main questions about CWE:
If you are looking for a high-level overview of the CWE Program, please visit New to CWE. Minutes from CWE/CAPEC Board Teleconference Meeting on February 15 Now Available March 13, 2023 | Share this article The CWE/CAPEC Board held a teleconference meeting on February 15, 2023. Read the meeting minutes. Hardware Weaknesses Added to CWE List 3 Years Ago Today February 24, 2023 | Share this article Three years ago today, on February 24, 2020, the CWE Program published the first set of hardware weaknesses in collaboration with community partners. The significance of including hardware weaknesses in CWE was noted by the community in several articles in industry news media publications, including “Hardware CWEs…This will Change Everything” on Embedded Computing Design, “A case for establishing a common weakness enumeration for hardware security” on Help Net Security, “MITRE Releases an Update to The Common Weakness Enumeration (CWE)” on The State of Security blog, and “Designers vs. Hackers: How Hardware Common Weakness Enumeration Tips the Scale” on EE Times. CWE 4.0 included an initial set of 31 hardware weaknesses and a new “Hardware Design” view that organizes weaknesses around concepts that are frequently used or encountered in hardware design, accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. The addition of these weaknesses and the new view were a direct result of community contributions and collaboration with the CWE Team. Hardware CWE SIG Established Most new CWE releases after CWE 4.0 have included hardware content additions and improvements to how hardware weaknesses are presented on the CWE website. Much of this ongoing work is a direct result of contributions made by the many members of the Hardware CWE Special Interest Group (HW CWE SIG), which was launched in November 2020, to serve as a forum for researchers and representatives from organizations operating in hardware design, manufacturing, and security to interact, share opinions and expertise, and leverage each other’s experiences in supporting the continued growth and adoption of CWE as a common language for defining hardware security weaknesses. The significance of creating the HW SIG, and the role it will play in the ongoing development of hardware CWEs, was noted in the industry news media article “Establishing A Special Interest Group On Common Hardware Weaknesses” on Semiconductor Engineering. The HW CWE SIG meets monthly and posts meeting minutes and other information in a GitHub Repository. Learn more about the HW CWE SIG here. “2021 CWE Most Important Hardware Weaknesses” List Released Perhaps the most important milestone for hardware weaknesses in CWE was the release of the “2021 CWE Most Important Hardware Weaknesses” list in October 2021. The list, which specifies 12 hardware weaknesses, is the first of its kind and the result of collaboration within the Hardware CWE SIG. The goals of the list are to drive awareness of common hardware weaknesses through CWE, and to prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle. Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause. The release of this list also received significant news media coverage. Visit the 2021 Hardware List page to view the full list, as well as other details including limitations, methodology, and more. Moving Forward Today, there are 100+ hardware weaknesses on the CWE List, all of which are a direct result of the community and the HW CWE SIG. Moving forward, the HW CWE SIG will continue working to add new hardware-related weaknesses and enhance hardware-related content in CWE. If you’d like to contribute, please consider joining the HW CWE SIG. “CWE-CAPEC ICS/OT SIG” Booth at S4x23 February 10, 2023 | Share this article CWE-CAPEC ICS/OT SIG members are attending S4x23 in Miami, Florida, USA, on February 13-16, 2023. The ICS/OT SIG is also hosting a booth at S4x23 on Wednesday, February 15, on the 2nd floor in the Worthy Cause Exhibits. The ICS/OT SIG offers a forum for researchers and technical representatives from organizations operating in industrial control systems (ICS) and operational technology (OT) design, manufacturing, and security to interact, share opinions and expertise, and leverage each other’s experiences in supporting continued growth and adoption of CWE as a common language for defining ICS/OT security weaknesses. Look for us and visit our booth! CWE Version 4.10 Now Available January 31, 2023 | Share this article CWE Version 4.10 has been posted on the CWE List page. There is one new entry, Dependency on Vulnerable Third-Party Component; updates to over 400 weakness descriptions to better allow the scope of those CWEs to include hardware; and many updates to the Hardware View and ICS/OT View that are based on contributions by the CWE Hardware SIG and CWE-CAPEC ICS/OT SIG. Significant changes for CWE 4.10 include:
A detailed report is available that lists specific changes between Version 4.9 and Version 4.10. The schema was updated from version 6.9 to version 6.10 to add a new entry “ISA/IEC 62443” to the TaxonomyNameEnumeration, add a new entry “JSON” to the LanguageNameEnumeration, and to make other minor documentation updates. Summary: There are 933 weaknesses and a total of 1,396 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.9_v4.10.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. |
