• “Deep Dive Workshop into CVE-to-CWE Root Cause Mapping” by Connor Mullaly, Steve Christey Coley (The MITRE Corporation) (Monday, April 13, 13:30–17:30)
• “Boosting Vulnerability Intelligence: How Accurate CWE Mappings Transform ML Model Performance” by David Starobinski, Sevval Simsek, Varsha Athreya (Boston University) (Tuesday, April 14, 14:35–15:05)
• “From Roadmap to Results: Measuring CWE Adoption to Enable Prevention” by Alec Summers, Steve Christey Coley (The MITRE Corporation) (Wednesday, April 15, 16:30–17:30)

We look forward to seeing you there!

The Top 25 highlights the most severe and prevalent weaknesses behind the 39,080 CVE™ Records in this year’s dataset. Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place. These weaknesses lead to serious vulnerabilities in software, and an attacker can often exploit them to take control of an affected system, steal data, or prevent applications from working.

What’s Changed

There are several notable shifts in ranked positions of weakness types from last year’s list, including weaknesses dropping away or making their first appearance in a CWE Top 25.

The 2025 Top 25’s #1 ranked weakness is CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross Site Scripting’), retaining the top position from last year while being the only CWE to not change in ranking. Notable shifts in rankings included CWE-862: Missing Authorization moving up 5 ranks to #4, CWE-20: Improper Input Validation moving down 6 ranks to #18, and CWE-77: Command Injection moving down 10 ranks to #23. Six new CWEs also appeared in the 2025 Top 25, most notably CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) at #11, CWE-352: Stack-based Buffer Overflow at #14, and CWE-122: Heap-based Buffer Overflow at #16. These new introductions are likely due to a change in methodology this year that allowed for better representation of more specific weaknesses.

Visit the Key Insights page on the CWE website for additional information.

Leveraging Real-World Data

The 2025 CWE Top 25 is the second year in a row where the CVE Numbering Authority (CNA) community directly contributed CWE mapping reviews within the dataset, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves.

To create the 2025 list, the CWE Program leveraged public vulnerability data containing CWE mappings and Common Vulnerability Scoring System (CVSS) scores.

The 2025 CWE Top 25 leverages CVE Records for vulnerabilities published between June 1, 2024, and June 1, 2025. A scoring formula is used to calculate a ranked order of weaknesses by combining the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities as measured by CVSS.

For more information about how the list was created and the ranking methodology, visit the Methodology page on the CWE website.

The 2025 CWE Top 25

Also available now:

• 2025 CWE Top 10 KEV Weaknesses — Ranking actively exploited weaknesses by CISA’s KEV Catalog.
• 2025 “On the Cusp” Weaknesses List — 15 additional weaknesses that were “on the cusp” of being included in the 2025 CWE Top 25.

Check out the 2025 Top 25 Now

https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html

This new release delivers a major update to the original 2021 release. For the first time, the refreshed MIHW combines comprehensive weakness data with expert opinion from across the hardware security community, equipping organizations with actionable insights to tackle today’s most critical hardware risks.

Goals

The 2025 MIHW aims to drive awareness of critical hardware weaknesses and provide the cybersecurity community with practical guidance to prevent security issues at the source.

By combining advanced data analysis with expert consensus, the list helps organizations prioritize mitigations, strengthen design practices, and make informed decisions throughout the hardware lifecycle.

A Community Effort

The 2025 MIHW is the result of broad collaboration within the hardware security community. We extend our deepest gratitude to the 2025 MIHW Working Group whose dedication and hard work made the weakness data collection possible. We also thank the many respondents to the MIHW polls for sharing their expert insights, and all Hardware CWE SIG members for their ongoing support and contributions.

2025 CWE Most Important Hardware Weaknesses

Expert Insights: Weaknesses Beyond Data Trends

The weaknesses shown below were not included in the 2025 MIHW because they did not have sufficient weakness data to support their inclusion. However, they stand out as expert-driven selections. Each of these weaknesses received high scores from Subject Matter Experts, reflecting strong consensus among those with deep domain knowledge.

Suggested Use Cases

The 2025 MIHW serves as a practical resource for a wide range of stakeholders:

• Security Architects and Designers can use the list to prioritize and address key weaknesses
• Design Teams benefit by building review checklists around top weaknesses
• Security Researchers can focus their investigation and mitigation efforts
• Test Engineers are able to target critical weaknesses in their testing
• EDA Tool Vendors can enhance tool support for industry-prioritized issues
• Educators can align course material with major hardware weaknesses

Visit the 2025 MIHW Use Cases page on the CWE website for a more detailed look at each use case.

Learn More About the 2025 MIHW

Visit the Most Important Hardware Weaknesses page on the CWE website to view more details about the 2025 list, key insights, methodology, use cases, and more.

Videos of three CWE™-focused sessions from CVE/FIRST VulnCon 2025 — “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry” (presentation), “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” (presentation), and “Vulnerability Root Cause Mapping with CWE” (presentation) — are now available on the CWE Program Channel on YouTube. Or, watch below:

View these videos and more on the CWE Program Channel on YouTube.

In this episode, “Root Cause Mapping and the CWE Top 25,” CWE Program Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly, about Root Cause Mapping (RCM) and the CWE Top 25.

Topics include the value and history of the CWE Top 25 and an analysis of the most recent Top 25 list and which weaknesses moved up and down on the list; purpose and benefits of mapping the root causes of vulnerabilities identified in CVE Records to CWE weaknesses; methodology used for RCM of the 2024 CWE Top 25 to develop the list and how CVE Numbering Authorities (CNAs) were integral to the process; and, a discussion of follow-on Top 25 lists including the “2024 On the Cusp — Other Dangerous Software Weaknesses” and “2024 CWE Top 10 KEV Weaknesses” lists. In addition, tips for helping improve your RCM are also discussed, such as how best to leverage the CWE website for your research, using CWE List keyword search, where to find the vulnerability mapping pointers on all CWE entry pages and what the different indicators mean, the benefits of being a member of the Root Cause Mapping Working Group (RCM WG), and much more.

The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on the CWE page on LinkedIn, CWE on X, CWE on Mastodon, or CWE on Bluesky. We look forward to hearing from you!

Common Weakness Enumeration (CWE™) is the main focus of four talks at CVE/FIRST VulnCon 2025 being held at the McKimmon Center in Raleigh, North Carolina, USA, on April 7–10, 2025:

• “Vulnerability Root Cause Mapping with CWE: Challenges, Solutions, and Insights from Grounded LLM-based Analysis” by Alec Summers of the CVE Program and Chris Madden of Yahoo (Monday, April 7, 11:30–12:30)
• “Lessons Learned From Assigning CWE’s to Test Items for Security Assessments” by Yuichi Kikuchi, Takayuki Uchiyama of Panasonic PSIRT (Tuesday, April 8, 11:30–12:00)
• “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” by Alexander Bushkin and Jeremy West of Red Hat (Tuesday, April 8, 14:00–16:30)
• “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry (Virtual)” by Steve Christey Coley of the CWE Program (Thursday, April 10, 13:30–14:30)

We look forward to seeing you there!

The Top 25 highlights the most severe and prevalent weaknesses behind the 31,770 CVE™ Records in this year’s dataset. Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place. These weaknesses lead to serious vulnerabilities in software, and an attacker can often exploit them to take control of an affected system, steal data, or prevent applications from working.

What’s Changed

There are several notable shifts in ranked positions of weakness types from last year’s list, including weaknesses dropping away or making their first appearance in a CWE Top 25.

The 2024 Top 25’s #1 ranked weakness is CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross Site Scripting’), which regains the top position from CWE-787: Out-of-bounds Write after three years. Weaknesses moving up the rankings this year include CWE-352: Cross-Site Request Forgery (CSRF), CWE-94: Improper Control of Generation of Code (‘Code Injection’), CWE-269: Improper Privilege Management, and CWE-863: Incorrect Authorization, while CWE-20: Improper Input Validation, CWE-476: NULL Pointer Dereference, CWE-190: Integer Overflow or Wraparound, and CWE-306: Missing Authentication moved down. Two weaknesses fell off the Top 25 list this year, CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) and CWE-276: Incorrect Default Permissions, which were replaced with CWE-400: Uncontrolled Resource Consumption and CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Visit the Key Insights page on the CWE website for additional information.

Leveraging Real-World Data

Importantly, the 2024 CWE Top 25 is the first published list where the Common Vulnerabilities and Exposures (CVE®) Numbering Authority (CNA) community directly contributed CWE mapping reviews within the dataset, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves.

To create the 2024 list, the CWE Program leveraged public vulnerability data containing CWE mappings and Common Vulnerability Scoring System (CVSS) scores. A formula was then applied to the data to score each weakness based on prevalence and severity.

The 2024 CWE Top 25 leverages CVE Records for vulnerabilities published between June 1, 2023, and June 1, 2024. A scoring formula is used to calculate a ranked order of weaknesses by combining the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities as measured by CVSS.

For more information about how the list was created and the ranking methodology, visit the Methodology page on the CWE website. Also, be sure to also check out the CWE Top 25 page going forward for additional articles and insight.

The 2024 CWE Top 25

Follow-on Information Coming Soon

Over the coming weeks and months, the CWE Program will continue publishing further analyses to help illustrate how root cause mapping and vulnerability management plays an important role in shifting the balance of cybersecurity risk. These will include but may not be limited to the following:

• Weaknesses on the Cusp — Those weaknesses that did not make the 2024 CWE Top 25 of which readers should be aware.
• Actively Exploited — Ranking weaknesses by the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

Visit the CWE website regularly for updates.

Check out the 2024 Top 25 Now

https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html

The CWE REST API enables program partners in vulnerability management as well as software (SW) and hardware (HW) developers and architects, electronic design automation (EDA) tool developers, verification engineers, and others who are concerned about mitigating security risks in their products an easy and efficient way to stay up to date with CWE content.

We expect this API to be a major improvement for leveraging CWE content changes as it is always up to date when requested by downstream applications and provided using a JSON representation.

Accessing the CWE REST API

The root URL to access the CWE REST API, which is available without any need to register or use any credentials, is available here.

We suggest using the API to populate a cache of the CWE content locally, which can be refreshed whenever a new release becomes available.

Documentation, Available Endpoints, and More

To view the API documentation, a list of endpoints, as well as several example endpoint URLs, please visit the “Quick Start Instructions for CWE REST API Users” on GitHub.

Please email us at cwe@mitre.org with any comments or concerns.

There are two main thrusts to the usability improvements, referred to as “macro-level” and “micro-level” improvements:

• Macro-level improvements — Focused on better organization of CWEs at a structural, site-wide level, simplifying access to various views and groupings, enhancing site-wide navigation, and ensuring all entries are populated with the necessary elements.
• Micro-level improvements — Focused on revising CWEs for clarity, removing redundancy, simplifying descriptions, reorder schema elements to foreground key information, and adding visualizations to entries for better topic explanation.

Some micro-level improvements were implemented with the release of CWE 4.15 on July 16, 2024, while macro-level improvements will be implemented in the future. A complete list of the micro-level improvements is noted in the “CWE Version 4.15 Now Available” news article, a visual example of which, is included below.

Before and after examples of the micro-level CWE entry page usability improvements are available below. Note that these images show only the tops of the CWE Entry page, using CWE-798 as the example. Sections of the entry that are not shown above will continue to be included on the entry page but are omitted here for brevity.

Feedback about these improvements is welcome at cwe@mitre.org.

Please note that the content within these mockups is still actively being worked on, so we are not seeking detailed feedback on this aspect at this stage. However, we would appreciate your thoughts on the proposed layout and design elements, as well as the overall user experience.

We are inviting you to provide your feedback early in our working process so that we can incorporate your valuable insights and suggestions. The changes we are proposing are focused on presenting important and concise text first for easy digestion by the reader.

To give you a better idea of our proposed changes, here are a couple of points that we are considering:

* Concise summary of the weakness with a visual aid
* A slight reordering of elements to be: “Alternate Terms,” “Consequences,” then “Mitigations”
* Remaining elements would then follow

You can view a before (on the left) and after (on the right) example of the CWE entry page usability improvements below:

Please comment here on Medium or send your comments to us directly at cwe@mitre.org. We look forward to hearing from you!