Mitre releases a list of its top 25 most dangerous software weaknesses, detailing the most common vulnerabilities which can give cybercriminals the ability to access machines to steal data or cause crashes.
Mitre has released its rundown of the most widespread and critical vulnerabilities in software, many of which are easy to find and can be exploited by cybercriminals to take over systems, steal data or crash applications and even computers.
The 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses details the most common and most impactful security issues.
The list is based on published Common Vulnerabilities and Exposures (CVE) data, as well as data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores of the CVEs.
Top of the list with the highest score by some margin is CWE-787: Out-of-bounds Write, a vulnerability where software writes past the end, or before the beginning, of the intended buffer. Like many of the vulnerabilities in the list, this can lead to corruption of data and crashing systems, as well as the ability for attackers to execute code. Mitre said in a blog post:
“These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.”
Mitre Corporation is a US not-for-profit organisation behind the MITRE ATT&CK framework – a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Second on the list is CWE-79: Improper Neutralization of Input During Web Page Generation, a cross-site scripting vulnerability that doesn’t correctly neutralise inputs before being placed as outputs on a website. This can lead to attackers being able to inject malicious scripts and allow them to steal sensitive information and send other malicious requests, particularly if they are able to gain administrator privileges. Third on the list is CWE-125: Out-of-bounds Read, a vulnerability that can allow attackers to read sensitive information from other memory locations or cause a crash.
While many of the vulnerabilities are potentially very damaging if they’re discovered and exploited by cybercriminals, the weaknesses can often be countered, particularly for those for which a security patch is available. Applying security patches to fix known vulnerabilities is one of the key things that organisations can do to help protect their networks from cyber attacks and intrusions.
The 2021 CWE Top 25 uses NVD data from the years 2019 and 2020, which consists of approximately 32,500 CVEs that are associated with weakness. The full list is available on the CWE website.