MITRE has released its latest list of the top 25 most exploited vulnerabilities and exposures found in software.
The MITRE CWE list is different from the product-specific CVE lists from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other agencies and instead focuses on more generic software development weaknesses, similar to the OWASP list for web applications.
MITRE’s latest CWE Top 25 Most Dangerous Software Weaknesses list contains a number of significant changes, such as a big jump in Race Condition attacks (CWE-362) and Command Injection attacks (CWE-77).
MITRE said its goal is to help professionals handle and mitigate various risks, which includes software for “architects, designers, developers, testers, users, project managers, security researchers, educators,” and many other contributors.
The ranking is a great resource for everyone from developers to defenders and security teams, as it lists bugs that are actively exploited in the wild and have a significant impact.
Top 10 Software Vulnerabilities Unchanged
While the top 10 weaknesses and exposures are little changed, after that the movements get more substantial.
Out-of-bounds write and cross-site scripting (XSS) are still the most dangerous vulnerabilities. The top 10 appears relatively stable from 2021 to 2022, although SQL injection jumped 3 spots to third place this year.
Some entries have been removed from the top 25:
- CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
- CWE-522 (Insufficiently Protected Credentials)
- CWE-732 (Incorrect Permission Assignment for Critical Resource)
That doesn’t mean those aren’t dangerous anymore, just that other attacks have become more prevalent. For example, CWE-200 has been replaced by CWE-362 [Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)] in position 22, but can still be found just outside the top 25 in position 33.
Attacks based on Race Condition weaknesses have significantly increased (+11 spots). MITRE considers a race condition existing “when an ‘interfering code sequence’ can still access the shared resource, violating exclusivity.”
For example, developers should implement a locking or synchronizing mechanism to prevent multiple simultaneous requests to a web application. Otherwise, hackers might overload the app and create delays in processing to “win the race against the app” and ultimately place unauthorized transactions.
Big Moves at Bottom of the Software Flaws List
While some entries fell significantly – Missing Authentication for Critical Function (CWE-306), for example, fell 7 spots – that does not mean those weaknesses won’t be exploited. MITRE notes they can become exploitable under “right conditions.”
Movements were much greater in the 26-40 spots, with 4 weaknesses moving double-digits. CWE-668 (Exposure of Resource to ‘Wrong Sphere’) jumped 21 spots to position 32. “Incorrect Authorization” (CWE-863) gained 10 spots to number 28, while “Insufficiently Protected Credentials” (CWE-522) lost 17 places to number 38.
MITRE Methodology Changes
MITRE decided to source from CISA’s Known Exploited Vulnerabilities (KEV) catalog launched last year. The move adds significant context to the MITRE list, as KEV documents hundreds of vulnerabilities that have been exploited in real-world attacks.
These weaknesses can be flaws, bugs, or vulnerabilities, but also errors found in design, architecture, or implementation.
Threat actors exploit them actively to take control of targeted devices, gain unauthorized access, exfiltrate information, or flood online servers (such as DDoS attacks).
MITRE attributes a score to each weakness according to its prevalence and the severity. The team analyzed 37,899 CVEs from the NVD (National Vulnerability Database) and CISA’s Known Exploited Vulnerabilities catalog in compiling lists.
All these lists serve a very important function: They help guide the mitigation efforts of security teams that are overwhelmed by alerts and vulnerabilities so they focus on the flaws with the greatest risk.