CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2025 CWE Top 25 Methodology 
ID

2025 CWE Top 25 Methodology

Top 25 Home

The “2025 CWE Top 25 Most Dangerous Software Weaknesses” list was calculated by analyzing public vulnerability information in Common Vulnerabilities and Exposures (CVE™) Records for CWE root cause mappings.

This year’s dataset included 39,080 CVE Records for vulnerabilities published between June 1, 2024 and June 1, 2025. Data was initially pulled on July 23, 2025, to share with CVE Numbering Authority(CNA) community partners for review. Data was pulled again on November 17, 2025, to ensure the most current information was used to calculate the Top 25.

Dataset Collection/Scoping

The initial Top 25 dataset comprised all CVE-2024-XXXX and CVE-2025-XXXX published between June 1, 2024, and June 1, 2025. To ensure collecting the complete set of publicly available CWE mappings, the Top 25 team gathered those in the CVE List published by CNAs or added by CISA Vulnrichment after publication, both of which are available on CVE.org. The team also cross-referenced any downstream, third-party mappings by NVD analysts and published on nvd.nist.gov. The CVE Records were then analyzed using automated scanning to identify those that would benefit from re-mapping analysis. These included CVE Records with CWE mappings that:

  1. Were too abstract or commonly misused
    • A common mistake made when mapping a vulnerability to a CWE is choosing an abstract or ‘high-level’ entry that is less precise and actionable. CWEs at the Base and Variant level ensure adequate specificity, actionability, and root cause information for a vulnerability.

  2. Differed from a mapping found using a MITRE internal keyword matcher tool
    • Drawing on years of previous Top 25 analysis, the CWE team has identified a list of keywords found in CVE descriptions that commonly indicate a specific root cause weakness. Although this keyword list is imperfect, the CWE team has found it to be a good starting point to identify mappings that could be incorrect. If the keyword matcher found a different mapping than was present, the CVE Record was kept in the dataset for remapping analysis.

Ultimately, the dataset identified for re-mapping analysis — the Scoped Dataset — contained 9,468 CVE Records (24% of all CVE Records in the dataset) originally published by 281 different CVE Numbering Authorities CNAs.

LLM Mapping Suggestions

The 2025 CWE Top 25 was the first to also employ CWE mapping suggestions from an LLM tool developed by Chris Madden (Yahoo!) as part of the CWE Root Cause Mapping Working Group (RCM WG).

This year, each CVE in the Scoped Dataset was passed through the bulk assignment LLM tool that provided a report with additionally suggested CWE information. This helped remap CVE Records with imprecise CWE mappings by providing lower-level suggestions for the publishing CNA to consider. The tool utilized a grounded LLM that was given the entire CWE corpus as its dataset and trained on sets of accurate CVE-to-CWE mappings. Although the LLM-generated suggested mappings were not always selected, we believe they acted as a good starting point for reviewers to perform re-analysis on the CVE Records in certain cases. In some cases, the tool appeared to infer potential mappings from references containing low-level details that would likely be missed by human analysts due to limitations of time or expertise.

The CWE RCM WG will continue to strengthen this capability and work towards the “new and the next” in enabling decentralized, accurate root cause mapping analysis at scale.

CNA Expert Collaboration

CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves. To engage this expert community in helping create the 2025 Top 25, the Scoped Dataset was divided into batches of CVEs based on the CNA who published them, typically with one batch for CVE Records mapped to abstract CWEs, and a separate batch for CVE Records with differences based on the internal keyword matcher. On August 19, 2025, the Top 25 team emailed each CNA to review their batches.

On November 17, 2025, the team finalized any CWE mapping changes provided by CNAs. Of the 9,468 CVE Records sent for review by the 281 different CNAs, the Top 25 team received feedback on 2,459 CVE Records (26% of total requested) from 170 CNAs (60% of total contacted) either correcting or confirming existing CWE mappings.

The CWE Team plans to leverage the CNA mapping feedback for potential strengthening of the CWE root cause mapping guidance and documentation.

CWE Mapping Normalization

For its root cause mapping efforts, the NVD typically maps CVE Records to View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities, a simplified collection of 130 weakness types. If a CVE Record cannot be mapped to an entry in View-1003, the NVD typically marks it as “NVD-CWE-Other” or “NVD-CWE-noinfo”.

Before running calculations for the Top 25 list, the entire dataset of mappings was “normalized” to View-1003. This means that any CWE mapping not present in View-1003 was changed to the next closest ancestor that is present in that view. For any mapping that did not have an ancestor in View-1003, that mapping was removed from consideration for final calculations.

Dataset Refinement

For the remaining CVE Records in the Scoped Dataset that did not receive CNA review, the Top 25 team analyzed a prioritized subset that included the highest-producing CNA with 1,884 CVE Records in the dataset.

The team discovered that the high-producing CNA frequently mapped to a correct lower-level CWE (e.g., a base or variant) but also included the higher-level parent CWE as well. The Top 25 ranking calculations consider every CWE mapping, so the inclusion of these parent CWE mappings influenced the dataset considerably. To resolve this, the CWE team removed all of this CNA’s CWE mappings where one of its “child” CWEs were also mapped. This significantly reduced the number of more abstract, less actionable CWE mappings in the Top 25.

The Top 25 team also reviewed CVE Records published by the MITRE CNA of Last Resort (MITRE CNA-LR), of which there were 1,266 in the dataset. It is important to note that traditional CNAs and CNAs of Last Resort operate very differently. Within the CVE Program, the MITRE CNA-LR (one of three CNA-LRs) is authorized to assign CVE IDs and publish corresponding CVE Records within the MITRE Top Level Root’s scope for vulnerabilities not covered by the Scope of another CNA. It exists to serve when no appropriate CNA is available or willing — often cases with limited information.

Like many CNAs, the MITRE CNA-LR is investing in the CVE “Quality Era” and exploring ways to improve data enrichment even in scenarios of limited information — always with the goal of supporting defenders who rely on CVE information every day. The Top 25 team reviewed 738 of the total 1,266 MITRE CNA-LR published CVE Records in the Scoped Dataset, prioritizing those with adequate mapping information provided by the first party researcher that engaged the CNA-LR, and deferring those that would require deeper, more time-intensive analysis.

Removal of CWE Mapping Normalization

In prior years, before calculating the Top 25, all CWE mappings were normalized to View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities. This was because the NVD, as part of its CVE Record enrichment process, typically maps CVE Records to CWEs within View-1003, a simplified collection of 130 weaknesses. Records that did not map to a CWE within that View would be marked as “NVD-CWE-Other”, or “NVD-CWE-noinfo” in cases where there was not information to make a determination.

This meant that in prior years, any CWE mapping not present in View-1003 was forced to the next closest ancestor in that collection, and if no valid ancestor existed, that mapping was excluded entirely.

For the first time in 2025, the Top 25 used the actual CWE mappings as provided, without normalizing them back to View-1003. As a result, the 2025 CWE Top 25 reflects a more accurate picture of real-world CWE mappings and offers greater insight into the CWE root cause mapping practices of the broader vulnerability management community.

Scoring

After the collection, scoping, and remapping process, a scoring formula was used to calculate a rank order of weaknesses that combines the frequency (the number of times that a CWE is the root cause of a vulnerability) with the average severity of each of those vulnerabilities when they are exploited (as measured by the Common Vulnerability Scoring System (CVSS) v3.0 or v3.1 base score). In both cases, the frequency and severity are normalized relative to the minimum and maximum values observed in the dataset. These metrics are presented as “count” and “average_CVSS”, respectively in the following formulas. Due to differences in the way CVSS base scores are calculated across versions, only CVE Records that contain CVSS version 3.0 or 3.1 data were considered in the calculations.

Frequency

The scoring formula calculates the number of times a CWE was mapped to a CVE Record within the NVD.

Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD}

Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq))

Severity

The scoring formula calculates the average CVSS score of all CVE Records that map to the CWE. The equation below is used to calculate this value.

Sv(CWE_X) = (average_CVSS(CWE_X) - min(CVSS)) / (max(CVSS) - min(CVSS))

Danger Score

The level of danger presented by a particular CWE was then determined by multiplying the severity score by the frequency score.

Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100

With this scoring approach:

  • Weaknesses that were rarely discovered will not receive a high Frequency score, regardless of the typical consequence associated with any exploitation. If developers are not making a particular mistake, then the weakness should not be highlighted in the CWE Top 25.
  • Weaknesses whose exploitation was of low impact will not receive a high Severity score, regardless of how common it was in the dataset. If the weakness typically results in low-impact exploited vulnerabilities, then the weakness should not be highlighted in the CWE Top 25.
  • Weaknesses that are both common and caused significant harm will receive the highest scores.

Acknowledgments

The 2025 CWE Top 25 Team includes (in alphabetical order by first name): Alec Summers, Connor Mullaly, and Steve Christey Coley.

Thank you to Chris Madden of Yahoo! for developing the LLM capability that allowed for additional CWE mapping suggestions to each CNA.

Very special thanks to the 170 CNAs that contributed their time and expertise to this year’s analysis.

Back to top
Page Last Updated: December 10, 2025
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.