CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2024 CWE Top 10 KEV List Methodology 
ID

CWE Top 10 KEV Weaknesses List Methodology

Top 25 Home
2024 CWE Top 10 KEV Weaknesses List
KEV Key Insights

To calculate the 2024 KEV Top 10 Weaknesses List, CVE Records that appear in the Known Exploited Vulnerabilities (KEV) Catalog were identified from the original 2024 Top 25 dataset and an identical methodology was used to calculate a custom list for just these CVE Records. As part of the outreach to CVE Numbering Authorities (CNAs), CVE Records found in the KEV catalog were included in the original dataset, which was all CVE Records from June 2023 to June 2024. Unlike the 2023 Top 10 KEV Weaknesses List, the CWE Team did not perform independent mapping analysis for each CVE Record in the KEV, but relied on feedback directly from the CNA or publicly available NVD or CVE mappings.

Methodology

In all, 144 CVE Records were considered for the list calculation, comprising all CVE Records in the KEV catalog from June 2023 and June 2024 as of January 30, 2025 (the day all NVD data was pulled and refreshed for the KEV investigation). Using the 2024 CWE Top 25 methodology, CWEs were ranked by a calculated Analysis Score which takes into account both prevalence (the number of times the CWE was mapped to a KEV CVE) and severity (the average CVSS score of the KEV CVEs that mapped to the CWE).

As this data set is much smaller than the full 2024 CWE Top 25 (i.e., ~31,000 CVE Records), the Analysis Scores are different than the Scores in the CWE Top 25, and the ranks are very sensitive to small data changes. After rank 10, even a difference of one CVE Record in the data can cause a rank change. For example, the CWE ranked 11th in the dataset only had 4 occurrences, and ranking scores start to drop off rather drastically at this point due to low frequency. Because of this, the CWE Team decided that a Top 10 list provided the most meaningful data to the community.

Lastly, unlike the 2024 CWE Top 25, the 2024 Top 10 KEV Weaknesses mappings were not normalized to View-1003, Weaknesses for Simplified Mapping of Published Vulnerabilities (i.e., the CWEs that NVD uses for its mappings). This was chosen as an effort to preserve the granularity of KEV CWE mappings given the small dataset, and to ensure the most accurate and specific mappings. Because of this, there may be weaknesses in the Top 10 KEV Weaknesses list that fall under the same CWE tree of related weaknesses. This is due to some CVE Records having more specific information that allowed a more precise mapping, while others only had more generic information.

Back to top
Page Last Updated: April 01, 2025
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.