MITRE - 2022 List of 25 Most Dangerous Vulnerabilities
June 30, 2022
The official version of the “2022 CWE Top 25 Most Dangerous Software Weaknesses,” a demonstrative list of the most common and impactful software weaknesses that can lead to exploitable vulnerabilities in software, is now available on the CWE website.
These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations.
The major difference between the 2021 and 2022 CWE Top 25 lists are the addition of three new weakness types and several notable shifts in ranked positions for weakness types, including three weakness types that fell entirely off the list.
The three new additions are CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'); CWE-94: Improper Control of Generation of Code ('Code Injection'); and CWE-400: Uncontrolled Resource Consumption.
Weakness types moving higher on the list include CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') and CWE-476: NULL Pointer Dereference, while CWE-306: Missing Authentication for Critical Function moved lower. The three weakness types that fell off the list are CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-522: Insufficiently Protected Credentials; and CWE-732: Incorrect Permission Assignment for Critical Resource.
Leveraging Real-World Data
To create the 2022 list, the CWE Program leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE Record, including a focus on CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. A formula was then applied to the data to score each weakness based on prevalence and severity.
The 2022 CWE Top 25 leverages NVD data from the years 2020 and 2021, which consists of 37,899 CVEs that are associated with a weakness. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities’ exploitation as measured by CVSS. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen.
For more detailed information including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page.