In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) began publishing the "Known Exploited Vulnerabilities (KEV) Catalog." Entries in this catalog are vulnerabilities that have been reported through the Common Vulnerabilities and Exposures (CVE®) Program and are observed to be (or have been) actively exploited. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.
A "weakness" is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs. In general, CWE(s) describe the root cause(s) of vulnerabilities.
The CWE Top 25 is an annual list of the weaknesses responsible for the most prevalent and severe CVE Records. Prevalence is measured by the number of CVE Records in the dataset whose root cause correlates with a particular CWE, and severity is measured by calculating the average CVSS score for those CVE Records. But whether a vulnerability is being actively exploited is not a required part of the vulnerability reporting process (i.e., CVE Reporting procedures).
By examining the CWE root cause mappings of vulnerabilities known to have been exploited in the wild, we gain new insight into what weaknesses adversaries exploit (as opposed to those most often reported by developers and researchers). 144 CVE Records were considered for the list calculation, comprising all CVE Records in the KEV catalog from June 2023 and June 2024 as of January 30, 2025. Together with the 2024 CWE Top 25, the Top 10 KEV Weaknesses List (using the same scoring methodology used for the 2024 Top 25) provides further information that organizations can use in their efforts to mitigate risk.
In early 2023, View-1400: Comprehensive Categorization for Software Assurance Trends was published on the CWE website to group all entries into categories of interest for large-scale software assurance research.
This was both to support efforts to eliminate weaknesses using tactics such as secure language development as well as to help track weakness trends in publicly disclosed vulnerability data.
The pie chart on the right shows the percentage of weakness categories for all CWE mappings in the 2024 CWE Top 10 KEV Weaknesses list.
The treemap chart on the right combines the CWE Top 10 KEV Weaknesses’ categories with the individual CWE entries’ analysis scores.
Note that while Memory Safety and Injection are represented the most by CWEs in the KEV Top 10, Resource Lifecycle Management is represented by the 2nd ranked entry – CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’).
There are several interesting differences between the sets of CWEs appearing in the CWE Top 10 KEV Weaknesses and the 2024 CWE Top 25. As shown below, some weakness types scored lower in the 2024 CWE Top 25 but higher in the Top 10 KEV Weaknesses. A dash indicates the weakness was not present in the 2024 CWE Top 25.
| CWE-ID | Name | 2024 CWE Top 25 Rank | Top 10 KEV Weaknesses Rank |
|---|---|---|---|
| CWE-787 | Out-of-bounds Write | 2nd | 1st |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | - (39th) | 2nd |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection’) | 7th | 3rd |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | 11th | 4th |
| CWE-502 | Deserialization of Untrusted Data | 16th | 5th |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 5th | 6th |
| CWE-306 | Missing Authentication for Critical Function | 25th | 7th |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 3rd | 8th |
| CWE-416 | Use After Free | 8th | 9th |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 13th | 10th |
Other weaknesses that appeared in the 2024 CWE Top 25 do not appear in Top 10 KEV Weaknesses at all:
| CWE-ID | Name | 2023 CWE Top 25 Rank |
|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 1st |
| CWE-352 | Cross-Site Request Forgery (CSRF) | 4th |
| CWE-125 | Out-of-bounds Read | 6th |
| CWE-862 | Missing Authorization | 9th |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | 10th |
Many factors can account for these differences. These include, but are not limited to, the types of vulnerabilities that are:
Reported vulnerabilities as noted in the CWE Top 25 are important to understand, but coupled with knowledge of exploitation offers a new level of information that helps inform system development environments with operational realities.
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.