CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2023 CWE Top 10 KEV List Insights  
ID


NOTICE: This is a previous version of the Top 25. For the most recent version go here.


2023 CWE Top 10 KEV Weaknesses List Insights


In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) began publishing the “Known Exploited Vulnerabilities (KEV) Catalog.” Entries in this catalog are vulnerabilities that have been reported through the Common Vulnerabilities and Exposures (CVE®) program and are observed to be (or have been) actively exploited. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

What CWE Analysis Shows Us About Known Exploited Vulnerabilities

A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs. In general, CWE(s) describe the root cause(s) of vulnerabilities.

The CWE Top 25 is an annual list of the weaknesses responsible for the most prevalent and severe CVE Records. Prevalence is measured by the number of CVE Records in the dataset whose root cause correlate with a particular CWE, and severity is measured by calculating the average CVSS score for those CVE Records. But whether a vulnerability is being actively exploited is not a required part of the vulnerability reporting process (i.e., CVE Reporting procedures).

By examining the CWE root cause mappings of vulnerabilities known to have been exploited in the wild, we gain new insight into what weaknesses adversaries exploit (as opposed to those most often reported by developers and researchers). 289 CVE Records were analyzed, comprising all the 2021 and 2022 CVE Records in the KEV catalog (as of March 27, 2023, the day all NVD data was pulled for the 2023 CWE Top 25). Together with the 2023 CWE Top 25, the first ever Top 10 KEV Weaknesses List (using the same scoring methodology used for the 2023 Top 25) provides further information that organizations can use in their efforts to mitigate risk.

Analysis

In early 2023, View-1400: Comprehensive Categorization for Software Assurance Trends was published on the CWE website to group all entries into categories of interest for large-scale software assurance research.

This was both to support efforts to eliminate weaknesses using tactics such as secure language development as well as to help track weakness trends in publicly disclosed vulnerability data.

The pie chart on the right shows the percentage of weakness categories for all CWE mappings in the 2023 CWE Top 10 KEV Weaknesses list.

Percent of 2023 CWE Top 10 KEV Weaknesses by CWE Category
×
Percent of 2023 CWE Top 10 KEV Weaknesses by CWE Category
Percent of 2023 CWE Top 10 KEV Weaknesses by CWE Category

The treemap chart on the right combines the CWE Top 10 KEV Weaknesses’ categories with the individual CWE entries’ analysis scores.

Note that the top 3 entries in the CWE Top 10 KEV Weaknesses are related to Memory Safety.

2023 CWE Top 10 KEV Weaknesses List Insights
×
2023 CWE Top 10 KEV Weaknesses List Insights
2023 CWE Top 10 KEV Weaknesses List Insights

CWE Top 25 vs. CWE KEV Top 10 Comparison

There are several interesting differences between the sets of CWEs appearing in the CWE Top 10 KEV Weaknesses and the 2023 CWE Top 25. As shown below, some weakness types scored lower in the 2023 CWE Top 25 but higher in the Top 10 KEV Weaknesses. A dash indicates the weakness was not present in the 2023 CWE Top 25.


CWE-ID Name 2023 CWE Top 25 Rank Top 10 KEV Weaknesses Rank
CWE-416 Use After Free 4th 1st
CWE-20 Improper Input Validation 6th 4th
CWE-502 Deserialization of Untrusted Data 15th 6th
CWE-918 Server-Side Request Forgery (SSRF) 19th 7th
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') - 8th
CWE-306 Missing Authentication for Critical Function 20th 10th

Other weaknesses that appeared in the 2023 CWE Top 25 do not appear in Top 10 KEV Weaknesses at all:


CWE-ID Name 2023 CWE Top 25 Rank
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 2nd
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 3rd
CWE-125 Out-of-bounds Read 7th
CWE-352 Cross-Site Request Forgery (CSRF) 9th
CWE-434 Unrestricted Upload of File with Dangerous Type 10th

Many factors can account for these differences. These include, but are not limited to, the types of vulnerabilities that are:

  • easily found by code scanning tools
  • easiest to exploit
  • have the most desirable impact for adversaries that exploit them

Reported vulnerabilities as noted in the CWE Top 25 are important to understand, but coupled with knowledge of exploitation offers a new level of information that helps inform system development environments with operational realities.

Page Last Updated: November 11, 2024