Common Weakness Enumeration

2025 CWE MIHW Key Insights

The 2025 Most Important Hardware Weaknesses (MIHW) highlight CWEs that encompass both longstanding challenges in hardware security and emerging areas of concern. During the review process, the team identified several noteworthy elements that merit special attention. In this section, we analyze the lists, compare them to previous findings, and explore potential factors that may explain the observed trends, recognizing that these interpretations are informed by the limited evidence and community input but may not capture all the underlying dynamics.

Comparison to the 2021 MIHW

Despite the change in methodology and the inclusion of CVE data in deriving the new MIHW, five entries from 2021 remain on the 2025 MIHW: 

• CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
• CWE-1191: On-Chip Debug and Test Interface With Improper Access Control
• CWE-1256: Improper Restriction of Software Interfaces to Hardware Features
• CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges
• CWE-1300: Improper Protection of Physical Side Channels

These entries represent persistent challenges in hardware security that are both theoretically significant and commonly observed in practice. Their continued inclusion, even with the shift to a hybrid expert and data-driven selection process, underscores their ongoing importance.

While the other seven entries from 2021 fell off the 2025 MIHW, four of them appear within our Expert Insights:

• CWE-1231: Improper Prevention of Lock Bit Modification
• CWE-1233: Security-Sensitive Hardware Controls with Missing Lock Bit Protection
• CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State
• CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition

This may indicate that these are emerging weaknesses that are well understood by experts but are not yet widely reported. Alternatively, these weaknesses may be routinely identified and addressed early in the development cycle, preventing them from appearing in fielded products when public reporting typically occurs.

Three 2021 entries did not make the 2025 MIHW and Expert Insights:

• CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation
• CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code
• CWE-1277: Firmware Not Updateable

This may reflect evolving trends in CVE data, shifting expert perspectives, or the prioritization of more pressing hardware security concerns.

Six CWEs made the MIHW for the first time:
(* Denotes entries that were added to CWE after the 2021 MIHW Release.)

• CWE-226: Sensitive Information in Resource Not Removed Before Reuse
• CWE-1234: Hardware Internal or Debug Modes Allow Override of Locks
• CWE-1247: Improper Protection Against Voltage and Clock Glitches
• CWE-1262: Improper Access Control for Register Interface
• *CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
• *CWE-1423: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

One CWE added to the corpus after the 2021 MIHW release is included in the 2025 Expert Insights:

• CWE-1431: Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

New entries in the 2025 MIHW and Expert Insights may reflect increased focus on issues such as resource reuse, debug mode issues, fault injection, and register interfaces. The inclusion of transient execution weaknesses may suggest greater attention and concern over microarchitectural issues. While a cryptographic-related weakness fell off the MIHW, another appeared on Expert Insights, possibly indicating evolving priorities in cryptographic security.

Hardware View Categories

The table below presents a mapping between the 2025 Most Important Hardware Weaknesses (MIHW), Expert Insights, and the Hardware View categories. The chart shows which hardware security weaknesses (listed by CWE number and description on the right) are relevant to each HW-View category (listed along the top on the left). A check mark indicates that a particular weakness is part of the corresponding HW category, highlighting areas of overlap and coverage.