Common Weakness Enumeration

The CWE Top 25 Most Dangerous Software Weaknesses List highlights the most severe and prevalent weaknesses behind the 31,770 Common Vulnerabilities and Exposures (CVE®) Records in this year’s dataset. Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place — benefiting both industry and government stakeholders.

The CWE Top 25 can help inform:

• Vulnerability Reduction – Insights into the common root causes drive valuable feedback into vendors’ SDLC and architectural planning, helping to eliminate entire classes of defect (e.g., memory safety, injection)
• Cost Savings – Fewer vulnerabilities in product development mean fewer issues to manage post-deployment, ultimately saving money and resources
• Trend Analysis – Insight into data trends enables organizations to better focus security efforts
• Exploitability Insights – Certain weaknesses such as command injection attract adversarial attention, enabling risk prioritization.
• Customer Trust – Transparency in how organizations address these weaknesses shows commitment to product security

The 2024 CWE Top 25 is not only a valuable resource for developers and security professionals, but it also serves as a strategic guide for organizations aiming to make informed decisions in software, security, and risk management investments.

Also available now:

• 2024 CWE Top 10 KEV Weaknesses — Ranking actively exploited weaknesses by CISA’s KEV Catalog.
• 2024 "On the Cusp" Weaknesses List – 15 additional weaknesses that were "on the cusp" of being included in the 2024 CWE Top 25.
• 2024 On the Cusp Weaknesses Insights — A discussion about the On the Cusp CWEs that continue to be prevalent and severe enough to cause concern.

Top 25 Archive