Common Weakness Enumeration

2025 “On the Cusp” Weaknesses Insights

The 2025 CWE Top 25 Most Dangerous Software Weaknesses list is a practical and convenient resource to help mitigate software security risk. But the complete dataset included 571 total weaknesses that were recorded, analyzed, and ranked. Beyond the Top 25, those performing mitigation and risk decision-making should consider these additional “On-the-Cusp” weaknesses in their efforts as they too can become severe, exploitable vulnerabilities under the right conditions.

Analysis

The On-the-Cusp list comprises CWEs ranked in positions 26-40, per the 2025 CWE Top 25 Methodology. These CWEs continue to be prevalent and the root cause of vulnerabilities severe enough to raise concern.

One CWE increased in rank to enter this year’s On the Cusp list:

• CWE-401: Missing Release of Memory after Effective Lifetime (up from #48 to #37)

Six CWEs that were on the 2024 CWE Top 25 list dropped to the 2025 On-the-Cusp list:

• CWE-287: Improper Authentication (down from #14 to #31)
• CWE-269: Improper Privilege Management (down from #15 to #29)
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer (down from #20 to #39)
• CWE-798: Use of Hard-coded Credentials (down from #22 to #35)
• CWE-190: Integer Overflow or Wraparound (down from #23 to #30)
• CWE-400: Uncontrolled Resource Consumption (down from #24 to #32)

Eight CWEs on the 2024 On-the-Cusp list dropped out in 2025:

• CWE-59: Improper Link Resolution Before File Access ('Link Following') (down from #38 to #42)
• CWE-532: Insertion of Sensitive Information into Log File (down from #31 to #43)
• CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') (down from #39 to #46)
• CWE-522: Insufficiently Protected Credentials (down from #35 to #52)
• CWE-312: Cleartext Storage of Sensitive Information (down from #40 to #62)
• CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (down from #28 to #69)
• CWE-203: Observable Discrepancy (down from #37 to #72)
• CWE-668: Exposure of Resource to Wrong Sphere (down from #27 to #141)

Possible Factors in Ranking Shifts

As described in the 2025 Top 25 Methodology, this year’s scoring was changed to remove the normalization of CWE mappings to CWE View-1003. This resulted in fewer high-level, abstract CWEs in the Top 25 and the On-The-Cusp list.

The following CWEs likely dropped out of the Top 25 this year and into the On-The-Cusp List due to the more specific children CWEs being represented in the rankings and taking away mapping counts from these higher-level parents:

• CWE-287: Improper Authentication
• CWE-269: Improper Privilege Management
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

The following CWEs are not represented in CWE View-1003 and were newly included into the list calculations this year due to the methodology change:

• CWE-266: Incorrect Privilege Assignment (ranked #26)
• CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (ranked #28)
• CWE-288: Authentication Bypass Using an Alternate Path or Channel (ranked #33)

Mapping Usage/Abstraction

Every CWE is annotated with a “mapping usage recommendation” that suggests whether the CWE should be used for vulnerability root cause mapping given its level of abstraction and actionability. These mapping recommendations include Allowed, Allowed-with-Review, Discouraged, and Prohibited. In general, CWEs at the Base and Variant level of abstraction should be used whenever possible to ensure providing adequate specificity, actionability, and root cause information for a vulnerability.

There were 3,199 individual vulnerability mappings to the 2025 ‘On-the-Cusp’ CWEs in this year’s list.

Number of CWEs per usage:

• 9 Allowed -> 1,974 maps (61.71% of all Cusp mappings)
• 2 Allowed-with-Review -> 381 maps (11.91%)
• 4 Discouraged -> 844 maps (26.38%)

In contrast, last year’s 2024 On-the-Cusp list had the following mapping usage recommendations from 2,042 individual mappings:

• 10 Allowed -> 1325 maps (64.89% of all Cusp mappings)
• 3 Allowed-with-Review -> 394 maps (19.29%)
• 2 Discouraged -> 323 maps (15.82%)

This year’s increase in Discouraged CWE mappings is related to the methodology change, as a variety of mappings were not normalized to one higher-level CWE. CWE-287, CWE-269, and CWE-119 dropped down into this year’s Cusp list; are all Discouraged with many children.

Number of CWEs per level of abstraction:

• 7 Bases with 1,529 maps (47.80% of all ‘Cusp’ mappings)
• 6 Classes with 1,225 maps (38.29%)
• 2 Variants with 445 maps (13.91%)

For more information on Root Cause Mapping and recommendations, see the CVE-to-CWE Root Cause Mapping Guidance.