News & Events - 2025Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org. ![]() “2025 CWE™ Most Important Hardware Weaknesses” Now Available August 20, 2025 | Share this article The “2025 CWE™ Most Important Hardware Weaknesses” is now available on the CWE website, delivering a major update to the original 2021 release. For the first time, the refreshed MIHW combines comprehensive weakness data with expert opinion from across the hardware security community, equipping organizations with actionable insights to tackle today’s most critical hardware risks. Goals The 2025 MIHW aims to drive awareness of critical hardware weaknesses and provide the cybersecurity community with practical guidance to prevent security issues at the source. By combining advanced data analysis with expert consensus, the list helps organizations prioritize mitigations, strengthen design practices, and make informed decisions throughout the hardware lifecycle. Suggested Use Cases The 2025 MIHW serves as a practical resource for a wide range of stakeholders:
A Community Effort The 2025 MIHW is the result of broad collaboration within the hardware security community. We extend our deepest gratitude to the 2025 MIHW Working Group whose dedication and hard work made the weakness data collection possible. We also thank the many respondents to the MIHW polls for sharing their expert insights, and all Hardware CWE SIG members for their ongoing support and contributions. Learn More Visit the Most Important Hardware Weaknesses page to view the 2025 list, key insights, methodology, use cases, and more. Mapping CVEs to CWEs Is Main Topic of “We Speak CVE” Podcast August 13, 2025 | Share this article Root Cause Mapping (RCM) is the main topics of a “We Speak CVE” podcast entitled “Mapping the Root Causes of CVEs.” In the episode, host Shannon Sabens chats with CVE™/CWE™ Project Lead Alec Summers and CWE Top 25 task lead/CWE Root Causes Mapping Working Group lead Connor Mullaly about the importance of mapping CVE Records (vulnerabilities) to their technical root causes using CWE. Additional topics include the benefits of RCM for CVE Numbering Authorities (CNAs) and consumers of CVE data, Common Vulnerability Scoring System (CVSS) and other vulnerability metadata and their differences with CWE, the CWE Top 25 Most Dangerous Software Weaknesses list, and the tools and guidance available to improve the RCM process (e.g., examples of mappings and best practices on the CWE website, mapping usage labels on CWE entry pages on the website, the RCM WG, and an LLM tool), and more. The podcast is available now on the CWE YouTube Channel. Or, listen below: Videos of Three CWE-Focused Sessions at VulnCon 2025 Now Available June 18, 2025 | Share this article Videos of three CWE-focused sessions — “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry” (presentation), “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” (presentation), and “Vulnerability Root Cause Mapping with CWE” (presentation) — from CVE/FIRST VulnCon 2025 are now available on the CWE YouTube Channel. Or, watch below: CWE Podcast: “Root Cause Mapping and the CWE Top 25” April 15, 2025 | Share this article “Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design. In this episode, entitled “Root Cause Mapping and the CWE Top 25,” CWE Program Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly, that focuses Root Cause Mapping (RCM) and the CWE Top 25. Topics include the value and history of the CWE Top 25 and an analysis of the most recent Top 25 list and which weaknesses moved up and down on the list; purpose and benefits of mapping the root causes of vulnerabilities identified in CVE Records to CWE weaknesses; methodology used for RCM of the 2024 CWE Top 25 to develop the list and how CVE Numbering Authorities (CNAs) were integral to the process; and, a discussion of follow-on Top 25 lists including the “2024 On the Cusp – Other Dangerous Software Weaknesses” and “2024 CWE Top 10 KEV Weaknesses” lists. In addition, tips for helping improve your RCM are also discussed, such as how best to leverage the CWE website for your research, using CWE List keyword search, where to find the vulnerability mapping pointers on all CWE entry pages and what the different indicators mean, the benefits of being a member of the Root Cause Mapping Working Group (RCM WG), and much more. The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on the CWE page on LinkedIn, CWE on X, CWE on Mastodon, or CWE on Bluesky. We look forward to hearing from you! CWE Version 4.17 Now Available April 3, 2025 | Share this article CWE Version 4.17 has been posted on the CWE List page to add 3 new weaknesses and make usability improvements to 20 additional weakness entry pages, among other updates. A detailed report is available that lists specific changes between Version 4.16 and Version 4.17. Main Changes CWE 4.17 includes 3 new weaknesses for “Reliance on HTTP instead of HTTPS,” “Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface,” and “Driving Intermediate Cryptographic State/Results to Hardware Module Outputs;” major updates to the AI-related “Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism” weakness; addition of affected languages to many demonstrative examples; miscellaneous changes to various CWE entries under less-analyzed subtrees; and, many other changes related to “usability” (see the “Usability Improvements” section below for details). Three new weaknesses added:
Major updates to an AI-related weakness:
Usability Improvements
Schema Changes There were no schema updates. Summary There are 943 weaknesses and a total of 1,432 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.16_v4.17.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns. “2024 CWE Top 10 KEV Weaknesses” List Now Available April 3, 2025 | Share this article The “2024 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities (KEV) Catalog,” is now available on the CWE website. The KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. Each vulnerability listed in KEV is identified by, and links to, a CVE Record. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise. Our analysis/key insights about the 2024 Top 10 KEV Weaknesses list are available here, and our methodology for creating the list is here. ![]() View the full CWE Top 10 KEV list here. View and Comment on Community Submissions in the “CWE Content Development Repository (CDR)” April 3, 2025 | Share this article The CWE Program is excited to announce that the “CWE Content Development Repository (CDR),” hosted on GitHub, is now fully public. The CDR enables the broader community to view, track, and contribute to the enhancement of the CWE corpus. This means greater transparency into the CWE working queue, and a further community collaboration in developing new CWE entries and modifying existing entries. Content suggestions begin with the CWE Submission Form. Once processed, these submissions are transferred to the CDR public repository, allowing the entire CWE community to view and comment on them as they progress through various stages of development. Interested? Check out the CDR’s README and the Guidelines for Content Submissions for more details and to better understand the process. All CWE content submissions must adhere to the CWE Terms of Use. CWE Is Focus of Four Talks at VulnCon 2025 April 3, 2025 | Share this article CWE is the main focus of four talks at CVE/FIRST VulnCon 2025 being held at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025:
![]() Feel free to contact us on CWE social media or at cwe@mitre.org with any feedback about these presentations. Follow the CWE Program on Bluesky April 3, 2025 | Share this article The CWE Program is now on Bluesky! Please follow us for program news, new versions, updates on community activities, and more at @cweprogram.bsky.social. |