A list of the top 25 most dangerous common weakness enumeration (CWE) software weaknesses for 2023 has been compiled by MITRE to inform people of the “most common and impactful” vulnerabilities and weaknesses affecting software over the past two years. This list was created using CVE data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), including the Common Vulnerability Scoring System (CVSS) scores for each weakness, with a particular focus on those CVEs that had been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog. NIST and CISA are both organisations within the US government, however they monitor security vulnerabilities that affect industry, technology, and organisations across the globe. A total of 43,996 CVE Records for vulnerabilities from 2021 and 2022 were used to compile the final list of top 25 most dangerous CWEs.  

1. Out-of-bounds Write, CWE-787 

2. Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), CWE-79 

3. Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), CWE-89

These top 3 most dangerous software weaknesses have retained the same ranking as last year, maintaining their severity on the list. All three of these flaws allow for attackers to execute code on their targets when performing an exploit, which in the case of out-of-bounds write vulnerabilities includes directly writing arbitrary commands to the target device. Cross-site-scripting (XSS) flaws often need to be exploited alongside other vulnerabilities in order to run code on the target machine rather than just within the HTTP based web page. Similarly, SQL injection flaws target the databases that control sites rather than directly on the device, however they are also often able to result in execution of system commands without the need for other vulnerabilities to be exploited in an attack chain. Through cookie stealing XSS flaws can also result in attackers gaining access to highly privileged sessions. Authorisation information can also be obtained through SQL injection exploits allowing attackers to access privileged user accounts without previous knowledge of the password. 

4. Use After Free, CWE-416 

5. Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), CWE-78 

6. Improper Input Validation, CWE-20 

7. Out-of-bounds Read, CWE-125 

8. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), CWE-22 

9. Cross-Site Request Forgery (CSRF), CWE-352 

10. Unrestricted Upload of File with Dangerous Type, CWE-434 

Exploitation of use after free, OS command injection, improper input validation, path traversal, and unrestricted upload of file with dangerous type flaws can also result in arbitrary code execution. As with the most dangerous flaw, a use after free vulnerability, an improper input validation, a path traversal, and CSRF flaws can also result in a system crash which can be utilised in denial-of-service type attacks. Elevation to system privileges can be obtained by exploiting OS command injection flaws, which makes the arbitrary code execution performed in these attacks capable of greater damage through increased privileges.   

CSRF flaws are limited by the privileges of the user, and so the consequences of an exploit could be severe if a system account is accessed, or it may need to be exploited in combination with other flaws to obtain this level of control. Out of bounds read vulnerabilities can be exploited to achieve memory addresses or values needed to then exploit a separate flaw that would result in code execution or denial of service. The lower ranking on this list since last year (down two places) is likely due to the need for an attack chain to take full advantage of this flaw, unlike the higher ranked vulnerabilities that can perform code execution and denial of service directly.  

11. Missing Authorization, CWE-862 

12. NULL Pointer Dereference, CWE-476 

13. Improper Authentication, CWE-287 

14. Integer Overflow or Wraparound, CWE-190 

15. Deserialization of Untrusted Data, CWE-502 

16. Improper Neutralization of Special Elements used in a Command (‘Command Injection’), CWE-77 

17. Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-119 

18. Use of Hard-coded Credentials, CWE-798 

19. Server-Side Request Forgery (SSRF), CWE-918 

20. Missing Authentication for Critical Function, CWE-306 

21. Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’), CWE-362 

22. Improper Privilege Management, CWE-269 

23. Improper Control of Generation of Code (‘Code Injection’), CWE-94 

24. Incorrect Authorization, CWE-863 

25. Incorrect Default Permissions, CWE-276 

Of these dangerous CWEs that did not make the top 10, it is important to highlight the two new entries on the list, CWE-269: Improper Privilege Management which is ranked 22nd, and CWE-863: Incorrect Authorization which is ranked 24th. Neither of these weaknesses were deemed as dangerous last year, despite both exploits providing attackers with additional privileges, or allowing them to assume identities to gain access. Incorrect authorization flaws could also allow attackers to read and modify sensitive data in files or directories. Missing authorisation, improper authentication, command injection, improper restriction of operations within the bounds of a memory buffer, SSRF, race condition, and code injection flaws were all also ranked higher on this year’s list than in previous years. 

CISA recommend that developers and security response teams familiarise themselves with this list, including reviewing the mitigations suggested for each CWE to decide what security measures are suitable to implement in their environments to combat these weaknesses.