CWE Top 10 KEV Weaknesses List Methodology
CVE Records that appear in the Known Exploited Vulnerabilities (KEV) Catalog were originally assigned CWE mappings by either CVE Numbering Authorities (CNAs) or U.S. National Vulnerability Database (NVD) analysts. The CWE Top 25 team performed their own independent analysis of these mappings, considering not only the references cited directly in each CVE Record, but also any publicly available exploits or articles that were found to assist further in determining the most accurate mapping.
The CWE team shared its mappings and justifications with each relevant CNA to provide an opportunity for review. If the CNA objected to any mappings, they were asked to provide alternatives and justification. More details related to this can be found below.
In all, 289 CVE Records were analyzed, comprising all CVE Records in the KEV catalog from 2021 and 2022 as of March 27, 2023 (the day all NVD data was pulled for the 2023 CWE Top 25). Using the 2023 CWE Top 25 methodology, CWEs were ranked by a calculated Analysis Score which takes into account both prevalence (the number of times the CWE was mapped to a KEV CVE) and severity (the average CVSS score of the KEV CVEs the CWE was mapped to).
As this data set is much smaller than the full 2023 CWE Top 25 (i.e., ~45,000 CVE Records), the Analysis Scores are different than the Scores in the CWE Top 25 and the ranks are very sensitive to small data changes. After rank 10, even a difference of one CVE Record in the data can cause a rank change. For example, the CWE ranked 11th in the dataset only had 6 occurrences and showed a large score drop off from the 10th ranked CWE. Because of this, the Top 25 team felt that a Top 10 list provided the most meaningful data to the community.
Lastly, unlike the 2023 CWE Top 25, the 2023 Top 10 KEV Weaknesses mappings were not normalized to View-1003, Weaknesses for Simplified Mapping of Published Vulnerabilities (i.e., the CWEs that NVD uses for its mappings). This was chosen as an effort to preserve the granularity of KEV CWE mappings given the small dataset, and to ensure the most accurate and specific mappings. Because of this, there may be weaknesses in the Top 10 KEV Weaknesses list that fall under the same CWE tree of related weaknesses. This is due to some CVE Records having more specific information that allowed a more precise mapping, while others only had more generic information.
Many KEV CVE Records had poor or conflicting information that made it difficult make an accurate CWE mapping:
The CWE team reached out to all 42 CNAs that had CVE Record(s) in the dataset to give them an opportunity to review each CWE mapping. 31 CNAs replied, 2 of which declined to participate. If a CNA objected to a CWE mapping for their CVE Record(s) and provided supporting evidence, the CWE team adjusted the mapping(s) accordingly. If no supporting evidence was provided upon request, the CWE team used the CNA proposed mappings and noted that the CNA declined to provide further information. For the 2 CNAs that declined to participate and the 11 others that did not respond, the mappings determined by the CWE team were provided.
CVE Records with poor or conflicting information were mapped to the original NVD mapping if no other information was available.
CVE Records deemed to have insufficient information by the CWE team remained without a mapping and were removed from the dataset.
In all, CNA feedback led to 26 (9.0%) updated CWE mappings:
We are extremely thankful for all of the CNA feedback received.