+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

MITRE’s Top 25 Most Dangerous CWEs for 2023

A list of the top 25 most dangerous common weakness enumeration (CWE) software weaknesses for 2023 has been compiled by MITRE to inform people of the “most common and impactful” vulnerabilities and weaknesses affecting software over the past two years. This list was created using CVE data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), including the Common Vulnerability Scoring System (CVSS) scores for each weakness, with a particular focus on those CVEs that had been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog. NIST and CISA are both organisations within the US government, however they monitor security vulnerabilities that affect industry, technology, and organisations across the globe. A total of 43,996 CVE Records for vulnerabilities from 2021 and 2022 were used to compile the final list of top 25 most dangerous CWEs.  

 

1. Out-of-bounds Write, CWE-787 

2. Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), CWE-79 

3. Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), CWE-89

 

These top 3 most dangerous software weaknesses have retained the same ranking as last year, maintaining their severity on the list. All three of these flaws allow for attackers to execute code on their targets when performing an exploit, which in the case of out-of-bounds write vulnerabilities includes directly writing arbitrary commands to the target device. Cross-site-scripting (XSS) flaws often need to be exploited alongside other vulnerabilities in order to run code on the target machine rather than just within the HTTP based web page. Similarly, SQL injection flaws target the databases that control sites rather than directly on the device, however they are also often able to result in execution of system commands without the need for other vulnerabilities to be exploited in an attack chain. Through cookie stealing XSS flaws can also result in attackers gaining access to highly privileged sessions. Authorisation information can also be obtained through SQL injection exploits allowing attackers to access privileged user accounts without previous knowledge of the password. 

 

4. Use After Free, CWE-416 

5. Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), CWE-78 

6. Improper Input Validation, CWE-20 

7. Out-of-bounds Read, CWE-125 

8. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), CWE-22 

9. Cross-Site Request Forgery (CSRF), CWE-352 

10. Unrestricted Upload of File with Dangerous Type, CWE-434 

 

Exploitation of use after free, OS command injection, improper input validation, path traversal, and unrestricted upload of file with dangerous type flaws can also result in arbitrary code execution. As with the most dangerous flaw, a use after free vulnerability, an improper input validation, a path traversal, and CSRF flaws can also result in a system crash which can be utilised in denial-of-service type attacks. Elevation to system privileges can be obtained by exploiting OS command injection flaws, which makes the arbitrary code execution performed in these attacks capable of greater damage through increased privileges.   

CSRF flaws are limited by the privileges of the user, and so the consequences of an exploit could be severe if a system account is accessed, or it may need to be exploited in combination with other flaws to obtain this level of control. Out of bounds read vulnerabilities can be exploited to achieve memory addresses or values needed to then exploit a separate flaw that would result in code execution or denial of service. The lower ranking on this list since last year (down two places) is likely due to the need for an attack chain to take full advantage of this flaw, unlike the higher ranked vulnerabilities that can perform code execution and denial of service directly.  

 

11. Missing Authorization, CWE-862 

12. NULL Pointer Dereference, CWE-476 

13. Improper Authentication, CWE-287 

14. Integer Overflow or Wraparound, CWE-190 

15. Deserialization of Untrusted Data, CWE-502 

16. Improper Neutralization of Special Elements used in a Command (‘Command Injection’), CWE-77 

17. Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-119 

18. Use of Hard-coded Credentials, CWE-798 

19. Server-Side Request Forgery (SSRF), CWE-918 

20. Missing Authentication for Critical Function, CWE-306 

21. Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’), CWE-362 

22. Improper Privilege Management, CWE-269 

23. Improper Control of Generation of Code (‘Code Injection’), CWE-94 

24. Incorrect Authorization, CWE-863 

25. Incorrect Default Permissions, CWE-276 

 

Of these dangerous CWEs that did not make the top 10, it is important to highlight the two new entries on the list, CWE-269: Improper Privilege Management which is ranked 22nd, and CWE-863: Incorrect Authorization which is ranked 24th. Neither of these weaknesses were deemed as dangerous last year, despite both exploits providing attackers with additional privileges, or allowing them to assume identities to gain access. Incorrect authorization flaws could also allow attackers to read and modify sensitive data in files or directories. Missing authorisation, improper authentication, command injection, improper restriction of operations within the bounds of a memory buffer, SSRF, race condition, and code injection flaws were all also ranked higher on this year’s list than in previous years. 

 

CISA recommend that developers and security response teams familiarise themselves with this list, including reviewing the mitigations suggested for each CWE to decide what security measures are suitable to implement in their environments to combat these weaknesses.  

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.