CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > News > News & Events - 2025  
ID

News & Events - 2025

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

CWE Most Important Hardware Weaknesses logo

“2025 CWE™ Most Important Hardware Weaknesses” Now Available

August 20, 2025 | Share this article

The “2025 CWE™ Most Important Hardware Weaknesses” is now available on the CWE website, delivering a major update to the original 2021 release. For the first time, the refreshed MIHW combines comprehensive weakness data with expert opinion from across the hardware security community, equipping organizations with actionable insights to tackle today’s most critical hardware risks.

Goals

The 2025 MIHW aims to drive awareness of critical hardware weaknesses and provide the cybersecurity community with practical guidance to prevent security issues at the source.

By combining advanced data analysis with expert consensus, the list helps organizations prioritize mitigations, strengthen design practices, and make informed decisions throughout the hardware lifecycle.

Suggested Use Cases

The 2025 MIHW serves as a practical resource for a wide range of stakeholders:

  • Security Architects and Designers can use the list to prioritize and address key weaknesses
  • Design Teams benefit by building review checklists around top weaknesses
  • Security Researchers can focus their investigation and mitigation efforts
  • Test Engineers are able to target critical weaknesses in their testing
  • EDA Tool Vendors can enhance tool support for industry-prioritized issues
  • Educators can align course material with major hardware weaknesses

A Community Effort

The 2025 MIHW is the result of broad collaboration within the hardware security community. We extend our deepest gratitude to the 2025 MIHW Working Group whose dedication and hard work made the weakness data collection possible. We also thank the many respondents to the MIHW polls for sharing their expert insights, and all Hardware CWE SIG members for their ongoing support and contributions.

Learn More

Visit the Most Important Hardware Weaknesses page to view the 2025 list, key insights, methodology, use cases, and more.

Mapping CVEs to CWEs Is Main Topic of “We Speak CVE” Podcast

August 13, 2025 | Share this article

Root Cause Mapping (RCM) is the main topics of a “We Speak CVE” podcast entitled “Mapping the Root Causes of CVEs.”

In the episode, host Shannon Sabens chats with CVE™/CWE™ Project Lead Alec Summers and CWE Top 25 task lead/CWE Root Causes Mapping Working Group lead Connor Mullaly about the importance of mapping CVE Records (vulnerabilities) to their technical root causes using CWE. Additional topics include the benefits of RCM for CVE Numbering Authorities (CNAs) and consumers of CVE data, Common Vulnerability Scoring System (CVSS) and other vulnerability metadata and their differences with CWE, the CWE Top 25 Most Dangerous Software Weaknesses list, and the tools and guidance available to improve the RCM process (e.g., examples of mappings and best practices on the CWE website, mapping usage labels on CWE entry pages on the website, the RCM WG, and an LLM tool), and more.

The podcast is available now on the CWE YouTube Channel. Or, listen below:

Videos of Three CWE-Focused Sessions at VulnCon 2025 Now Available

June 18, 2025 | Share this article

Videos of three CWE-focused sessions — “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry” (presentation), “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” (presentation), and “Vulnerability Root Cause Mapping with CWE” (presentation) — from CVE/FIRST VulnCon 2025 are now available on the CWE YouTube Channel. Or, watch below:








CWE Podcast: “Root Cause Mapping and the CWE Top 25”

April 15, 2025 | Share this article

Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design.

In this episode, entitled “Root Cause Mapping and the CWE Top 25,” CWE Program Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly, that focuses Root Cause Mapping (RCM) and the CWE Top 25.

Topics include the value and history of the CWE Top 25 and an analysis of the most recent Top 25 list and which weaknesses moved up and down on the list; purpose and benefits of mapping the root causes of vulnerabilities identified in CVE Records to CWE weaknesses; methodology used for RCM of the 2024 CWE Top 25 to develop the list and how CVE Numbering Authorities (CNAs) were integral to the process; and, a discussion of follow-on Top 25 lists including the “2024 On the Cusp – Other Dangerous Software Weaknesses” and “2024 CWE Top 10 KEV Weaknesses” lists. In addition, tips for helping improve your RCM are also discussed, such as how best to leverage the CWE website for your research, using CWE List keyword search, where to find the vulnerability mapping pointers on all CWE entry pages and what the different indicators mean, the benefits of being a member of the Root Cause Mapping Working Group (RCM WG), and much more.


Out of Bounds Read podcast - Root Cause Mapping and the CWE Top 25

The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on the CWE page on LinkedIn, CWE on X, CWE on Mastodon, or CWE on Bluesky. We look forward to hearing from you!

CWE Version 4.17 Now Available

April 3, 2025 | Share this article

CWE Version 4.17 has been posted on the CWE List page to add 3 new weaknesses and make usability improvements to 20 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.16 and Version 4.17.

Main Changes

CWE 4.17 includes 3 new weaknesses for “Reliance on HTTP instead of HTTPS,” “Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface,” and “Driving Intermediate Cryptographic State/Results to Hardware Module Outputs;” major updates to the AI-related “Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism” weakness; addition of affected languages to many demonstrative examples; miscellaneous changes to various CWE entries under less-analyzed subtrees; and, many other changes related to “usability” (see the “Usability Improvements” section below for details).

Three new weaknesses added:

Major updates to an AI-related weakness:

Usability Improvements

Schema Changes

There were no schema updates.

Summary

There are 943 weaknesses and a total of 1,432 entries on the CWE List.

Changes for the new version include the following:

New Views Added:0
Views Deprecated:0
New Categories Added:0
Categories Deprecated:0
New Entries Added:3
Entries Deprecated:0
Entries with Major Changes:135
Entries with only Minor Changes:1
Entries Unchanged:1,293

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.16_v4.17.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

“2024 CWE Top 10 KEV Weaknesses” List Now Available

April 3, 2025 | Share this article

The “2024 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities (KEV) Catalog,” is now available on the CWE website.

The KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. Each vulnerability listed in KEV is identified by, and links to, a CVE Record. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

Our analysis/key insights about the 2024 Top 10 KEV Weaknesses list are available here, and our methodology for creating the list is here.

2024 CWE Top 10 KEV Weaknesses List Treemap Chart from the KEV Insights page
2024 CWE Top 10 KEV Weaknesses List Treemap Chart
View the full CWE Top 10 KEV list here.

View and Comment on Community Submissions in the “CWE Content Development Repository (CDR)”

April 3, 2025 | Share this article

The CWE Program is excited to announce that the “CWE Content Development Repository (CDR),” hosted on GitHub, is now fully public. The CDR enables the broader community to view, track, and contribute to the enhancement of the CWE corpus. This means greater transparency into the CWE working queue, and a further community collaboration in developing new CWE entries and modifying existing entries.

Content suggestions begin with the CWE Submission Form. Once processed, these submissions are transferred to the CDR public repository, allowing the entire CWE community to view and comment on them as they progress through various stages of development.

Interested? Check out the CDR’s README and the Guidelines for Content Submissions for more details and to better understand the process. All CWE content submissions must adhere to the CWE Terms of Use.

CWE Is Focus of Four Talks at VulnCon 2025

April 3, 2025 | Share this article

CWE is the main focus of four talks at CVE/FIRST VulnCon 2025 being held at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025:

The CVE Program and FIRST will co-host VulnCon 2025 at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025

Feel free to contact us on CWE social media or at cwe@mitre.org with any feedback about these presentations.

Follow the CWE Program on Bluesky

April 3, 2025 | Share this article

The CWE Program is now on Bluesky! Please follow us for program news, new versions, updates on community activities, and more at @cweprogram.bsky.social.

Bluesky logo
Page Last Updated: August 19, 2025