CWE - 2025 CWE Top 10 KEV List Insights

In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) began publishing the “Known Exploited Vulnerabilities (KEV) Catalog.” Entries in this catalog are vulnerabilities that have been reported through the Common Vulnerabilities and Exposures (CVE™) Program and are observed to be (or have been) actively exploited. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

Publicly disclosed vulnerabilities as noted in the CWE Top 25 are important to understand, but coupling with knowledge of exploitation activity offers a valuable, additional perspective for operational vulnerability management.

What CWE Analysis Shows Us About Known Exploited Vulnerabilities

A “weakness” in the context of the CWE Program is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs. In general, CWEs describe the root causes of vulnerabilities.

The CWE Top 25 is an annual list of the most common and impactful software weaknesses. The methodology weighs weakness “prevalence” by the number of CVE Records in the dataset whose root causes correlate with a particular CWE, and “severity” by calculating the average CVSS score for those CVE Records.

Examining the CWE root cause mappings of vulnerabilities known to have been exploited in the wild provides new insight and perspective on what weaknesses adversaries are exploiting (as opposed to those most often reported by developers and researchers). In all, 182 CVE Records were included in this year’s list calculation, comprising all CVE Records in the KEV catalog from June 2024 and June 2025 as of January 15, 2026 (the day all CVE Records were pulled and refreshed for the KEV investigation). Together with the 2025 CWE Top 25, the Top 10 KEV Weaknesses List (using the same scoring methodology used for the 2025 Top 25) provides further information that organizations can use in their efforts to mitigate risk.

Analysis

In early 2023, View-1400: Comprehensive Categorization for Software Assurance Trends was published on the CWE website to group all entries into 22 mutually-exclusive categories of interest for large-scale software assurance research.

This view is intended to support efforts to eliminate weaknesses using tactics such as secure language development as well as to help track weakness trends in publicly disclosed vulnerability data.

The pie chart on the right shows the percentage of weakness categories for all CWE mappings in the 2025 CWE Top 10 KEV Weaknesses list. Note that only 5 of the 22 original categories are included.

Percent of 2025 CWE Top 10 KEV Weaknesses by CWE Category

The treemap chart on the right combines the CWE Top 10 KEV Weaknesses’ categories with the individual CWE entries’ analysis scores. The top two categories, each having three weaknesses in the list, are Injection (#1, #7, and #10) and Memory Safety (#2, #3, and #9). The Access Control category was represented by two weaknesses in the list (#4 and #8) and the Resource Control and File Handling categories were each represented by one weakness in the list (#5 and #6 respectively).

2025 CWE Top 10 KEV Weaknesses List Insights

2025 CWE Top 10 KEV Weaknesses List Treemap Chart

CWE Top 25 vs. CWE KEV Top 10 Comparison

There are several interesting differences between the sets of CWEs appearing in the CWE Top 10 KEV Weaknesses and the 2025 CWE Top 25. As shown below, most CWEs scored higher in the Top 10 KEV Weaknesses compared to the 2025 CWE Top 25.

CWE-ID	Name	2025 Top 10 KEV Weaknesses Rank	2025 CWE Top 25 Rank
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	1st	9th
CWE-416	Use After Free	2nd	7th
CWE-787	Out-of-bounds Write	3rd	5th
CWE-306	Missing Authentication for Critical Function	4th	21st
CWE-502	Deserialization of Untrusted Data	5th	15th
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	6th	6th
CWE-94	Improper Control of Generation of Code ('Code Injection')	7th	10th
CWE-288	Authentication Bypass Using an Alternate Path or Channel	8th	N/A
CWE-122	Heap-based Buffer Overflow	9th	16th
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	10th	1st

Other weaknesses had a rank of 10 or higher in the Top 25, but do not appear in Top 10 KEV Weaknesses:

CWE-ID	Name	2025 CWE Top 25 Rank
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	2nd
CWE-352	Cross-Site Request Forgery (CSRF)	3rd
CWE-862	Missing Authorization	4th
CWE-125	Out-of-bounds Read	8th

Many factors can account for these differences given the Top 25 calculation Methodology, including whether certain vulnerabilities:

are easily found by code scanning tools
are relatively easy to exploit
have the most desirable impact for adversaries that exploit them (e.g., code execution)
can be more easily detected for active exploitation

Additional Considerations

It is possible that exploit detection techniques might not be as mature for some CWEs versus others, which then might lead to under-reporting of weaknesses for which real-world exploitation is difficult to detect. For example, basic CSRF (CWE-352) exploits may involve sending a malicious link to a victim outside of the affected product’s network, then tricking the victim to submit a well-formed, valid, authorized request to the targeted application. Because part of the attack occurs outside of the defender’s network, traffic monitoring may not detect the original exploit. Also, except in the simplest cases, exploits that cause resource consumption might not be easily detectable, especially if performed slowly. Exploits involving authorization or authentication may be difficult to detect without application- or domain-specific training of technologies such as Web Application Firewalls (WAFs).

A separate consideration involves the mapping accuracy and precision of KEV data. For example, it is possible that many KEVs do not map to sufficiently low-level CWEs. In some cases, the CNA or a third-party CWE-mapper might analyze a heap-based buffer overflow (CWE-122) but map it to the parent CWE-787 (out-of-bounds write) instead.

Finally, some KEVs have CVE descriptions with very limited details and therefore cannot be accurately mapped to CWE(s). It is possible that some CWEs are part of real-world KEVs but are not mapped as such.

Abstraction/Mapping Usage

Every CWE is annotated with a “mapping usage recommendation” that suggests whether the CWE should be used for vulnerability root cause mapping given its level of abstraction and actionability. These recommendations include Allowed, Allowed-with-Review, Discouraged, and Prohibited. In general, CWEs at the Base and Variant level should be used whenever possible to ensure providing adequate specificity, actionability, and root cause information for a vulnerability.

The following are related statistics for the 2025 Top 10 KEV Weakness dataset.

Number of CWEs per level of abstraction:

8 Bases with 84 maps (80.77% of the Top 10 KEVs)
2 Variants with 20 maps (19.23%)

Number of CWEs per usage:

9 Allowed with 97 maps (93.27% of the Top-10 KEVs)
1 Allowed-with-Review with 7 maps (6.73%)

For more information on Root Cause Mapping and recommendations, see the CVE-to-CWE Root Cause Mapping Guidance.