2023 CWE Top 10 KEV Weaknesses List Insights
In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) began publishing the “Known Exploited Vulnerabilities (KEV) Catalog.” Entries in this catalog are vulnerabilities that have been reported through the Common Vulnerabilities and Exposures (CVE®) program and are observed to be (or have been) actively exploited. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.
A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs. In general, CWE(s) describe the root cause(s) of vulnerabilities.
The CWE Top 25 is an annual list of the weaknesses responsible for the most prevalent and severe CVE Records. Prevalence is measured by the number of CVE Records in the dataset whose root cause correlate with a particular CWE, and severity is measured by calculating the average CVSS score for those CVE Records. But whether a vulnerability is being actively exploited is not a required part of the vulnerability reporting process (i.e., CVE Reporting procedures).
By examining the CWE root cause mappings of vulnerabilities known to have been exploited in the wild, we gain new insight into what weaknesses adversaries exploit (as opposed to those most often reported by developers and researchers). 289 CVE Records were analyzed, comprising all the 2021 and 2022 CVE Records in the KEV catalog (as of March 27, 2023, the day all NVD data was pulled for the 2023 CWE Top 25). Together with the 2023 CWE Top 25, the first ever Top 10 KEV Weaknesses List (using the same scoring methodology used for the 2023 Top 25) provides further information that organizations can use in their efforts to mitigate risk.
There are several interesting differences between the sets of CWEs appearing in the CWE Top 10 KEV Weaknesses and the 2023 CWE Top 25. As shown below, some weakness types scored lower in the 2023 CWE Top 25 but higher in the Top 10 KEV Weaknesses. A dash indicates the weakness was not present in the 2023 CWE Top 25.
Other weaknesses that appeared in the 2023 CWE Top 25 do not appear in Top 10 KEV Weaknesses at all:
Many factors can account for these differences. These include, but are not limited to, the types of vulnerabilities that are:
Reported vulnerabilities as noted in the CWE Top 25 are important to understand, but coupled with knowledge of exploitation offers a new level of information that helps inform system development environments with operational realities.