CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2025 CWE Top 10 KEV List Methodology 
ID

CWE Top 10 KEV Weaknesses List Methodology

Top 25 Home
2025 CWE Top 10 KEV Weaknesses List
KEV Key Insights

To calculate the 2025 KEV Top 10 Weaknesses List, CVE Records that appear in the Known Exploited Vulnerabilities (KEV) Catalog were identified from the original 2025 Top 25 dataset and an identical methodology was used to calculate a custom list for just these CVE records. As part of the outreach to CVE Numbering Authorities (CNAs), CVE Records found in the KEV catalog were included in the original dataset, which was all CVE Records from June 2024 to June 2025. The CWE team did not perform independent mapping analysis for each KEV CVE, and relied on feedback directly from the CNA or publicly available mappings.

Methodology

In all, 182 CVE Records were included in the list calculation, comprising all CVE Records in the KEV catalog that were published between June 2024 and June 2025 as of January 15th, 2026 (when all vulnerability data was pulled and refreshed for the KEV investigation). Using the 2025 CWE Top 25 methodology, CWEs were ranked by a calculated Analysis Score which includes both prevalence (the number of times the CWE was mapped to a KEV CVE) and severity (the average CVSS score of the KEV CVEs that mapped to the CWE).

As this data set is much smaller than the full 2025 CWE Top 25 (i.e., ~39,000 CVE Records), the Analysis Scores are different than the Scores in the CWE Top 25, and the ranks are highly sensitive to small data changes. After rank 10, even a difference of one CVE Record in the data can cause a rank change. For example, the CWE ranked 11th in the dataset was only mapped by 4 CVE Records, and ranking scores start to drop off rather drastically at this point due to low frequency. Because of this, the CWE Team decided that a Top 10 list provided the most meaningful data to the community.

Following the same methodology as last year, the 2025 Top 10 KEV Weaknesses mappings were also not normalized to View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities (i.e., the CWEs that NVD has historically used for its mappings). This is notable because the 2025 CWE Top 25 list also was not normalized to View-1003, and the methodology to calculate the rankings for the CWE Top 25 List, On-The-Cusp List, and CWE Top 10 KEV list are all identical. This allows the lists to all be compared at face value, keeping in mind that the dataset used for the KEV calculations is a much smaller dataset. This also allows each list to more accurately show the CWE mappings seen in CVE Records, preserving the granularity of more specific and precise mappings.

Back to top
Page Last Updated: January 29, 2026
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2026, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.