Dear CWE Community, We are thrilled to announce that the “2023 CWE Top 25<https://cwe.mitre.org/top25/index.html>” and CWE 4.12<https://cwe.mitre.org/news/archives/news2023.html#june29_CWE_Version_4.12_Now_Available> were released for the community on June 29, 2023.
Later this week, we will be releasing the list of “On the Cusp” weaknesses (#s 26-40) that did not make the official 2023 CWE Top 25 list. We will send a separate announcement to this list once the “On the Cusp” list is released on the CWE website. The release of the 2023 CWE Top 25 list received extensive news media coverage, which we will note soon on the CWE website news page. We hope our follow-on releases of 2023 CWE Top 25 list content such as of the “On the Cusp” weaknesses for 2023, Mapping Notes for the 2023 list, etc., over the coming weeks will help to further extend community awareness and discussion of these most dangerous weaknesses over time. 2023 CWE Top 25 The “2023 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses<https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html>” (2023 CWE Top 25) is now available on the CWE website. The CWE Top 25 is calculated by analyzing public vulnerability data in the National Institute of Standards and Technology’s (NIST) U.S. National Vulnerability Database (NVD)<https://nvd.nist.gov/> for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working. The 2023 CWE Top 25 also incorporates updated weakness data for recent Common Vulnerabilities and Exposures (CVE®)<https://www.cve.org/> records in the dataset that are part of Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>. Trend analysis on vulnerability data like this enables organizations to make better investment and policy decisions in vulnerability management. Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. Over the coming weeks, the CWE Program will be publishing a series of further articles and useful information to help illustrate how vulnerability management plays an important role in shifting the balance of cybersecurity risk. These include: * Trends in Real-World CWEs: 2019 to 2023 — A discussion of overall trends and what it means for your IT infrastructure. * Actively Exploited — Ranking Weaknesses by CISA’s KEV Catalog. * CWEs and Root-Cause Mapping — The path to clarifying sources of vulnerabilities as we as a community work to eradicate vulnerabilities from your IT infrastructure. * CWE Top 25 Remapping Notes — The team’s root cause mapping analysis notes by CVE Record for the manually reviewed 2023 CWE Top 25 data set. What’s Changed for the 2023 Release There are several notable shifts in ranked positions of weakness types from last year's list, including weaknesses dropping away or making their first appearance in a CWE Top 25. Weakness types moving higher on the list include CWE-416: Use After Free<https://cwe.mitre.org/data/definitions/416.html>, CWE-862: Missing Authorization<https://cwe.mitre.org/data/definitions/862.html>, CWE-269: Improper Privilege Management<https://cwe.mitre.org/data/definitions/269.html>, and CWE-863: Incorrect Authorization<https://cwe.mitre.org/data/definitions/863.html>, while CWE-502: Deserialization of Untrusted Data<https://cwe.mitre.org/data/definitions/502.html>, CWE-798: Use of Hardcoded Credentials<https://cwe.mitre.org/data/definitions/798.html>, and CWE-276: Incorrect Default Permissions<https://cwe.mitre.org/data/definitions/276.html> moved down. Two weaknesses fell off the Top 25 list this year, CWE-400: Improper Restriction of XML External Entity Reference<https://cwe.mitre.org/data/definitions/400.html> and CWE-611: Improper Restriction of XML External Entity Reference<https://cwe.mitre.org/data/definitions/611.html>. Visit the Key Insights<https://cwe.mitre.org/top25/archive/2023/2023_key_insights.html> page on the CWE website for additional information. Leveraging Real-World Data To create the 2023 list, the CWE Program leveraged CVE Record<https://www.cve.org/> data found within NVD<https://nvd.nist.gov/> and the Common Vulnerability Scoring System (CVSS)<https://nvd.nist.gov/vuln-metrics/cvss> scores associated with each CVE Record, including a focus on CVE Records from the KEV Catalog<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>. A formula was then applied to the data to score each weakness based on prevalence and severity. The 2023 CWE Top 25 leverages NVD data from the years 2021 and 2022. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities’ exploitation as measured by CVSS. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen. For more information about how the list was created and the ranking methodology, visit the Methodology: How the 2023 CWE Top 25 Most Dangerous Software Weaknesses Was Created<https://cwe.mitre.org/top25/archive/2023/2023_methodology.html> page. Be sure to also check out the CWE Top 25<https://cwe.mitre.org/top25/index.html> page on the CWE website in the coming weeks for additional articles and insight. New Look & Feel The CWE Top 25 section<https://cwe.mitre.org/top25/index.html> of the website was updated with a new look and feel landing page, 2023 CWE Top 25 list page, and other pages such as Key Insights, Methodology, and more. You can check out the new section of the CWE website here<https://cwe.mitre.org/top25/index.html>. CWE Version 4.12 CWE Version 4.12<https://cwe.mitre.org/data/index.html> has been posted on the CWE List page on the CWE website to add support for the recently released “2023 CWE Top 25 Most Dangerous Software Weaknesses<https://cwe.mitre.org/top25/index.html>” list, among other updates. In addition, a detailed report<https://cwe.mitre.org/data/reports/diff_reports/v4.11_v4.12.html> is available that lists specific changes between Version 4.11 and Version 4.12. Main Changes CWE 4.12 includes the addition of 1 new view to support the release of the 2023 CWE Top 25<https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html>, “CWE-1425: Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses<https://cwe.mitre.org/data/definitions/1425.html>.” The software weakness types included in the 2023 CWE Top 25 also include observed examples drawn from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> to show relevance to real-world exploits. A new section was added to all CWE entries - Vulnerability Mapping Notes. These notes should enable users to more accurately map vulnerabilities (e.g., CVEs) to their root cause weaknesses. Previously, mapping notes were only available in the Notes section for a small number of CWE entries. CWE 4.12 includes contributions from across the CWE community. Some CWE entries were updated to include industrial control systems (ICS)/operational technology (OT)-specific details including mappings to the ISA/IEC 62443<https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards> standard and categories of ICS/OT vulnerabilities, as contributed by the “Mapping CWE<https://medium.com/@CWE_CAPEC/community-actively-working-to-enhance-cwes-ics-ot-coverage-1b4f7bf0a6dd>” and “Boosting CWE<https://medium.com/@CWE_CAPEC/community-actively-working-to-enhance-cwes-ics-ot-coverage-1b4f7bf0a6dd>” subgroups of the CWE ICS/OT SIG<https://cwe.mitre.org/community/working_groups.html#ics_ot_sig>. CWE 4.12 also adds hardware-specific demonstrative examples derived from Hack@DAC 2019<https://hackat.events/dac19/>, with input from Technical University of Darmstadt, Texas A&M University, and the Hardware CWE Special Interest Group (HW CWE SIG)<https://cwe.mitre.org/community/working_groups.html#hw_sig>. In addition, there were multiple schema updates<https://cwe.mitre.org/data/reports/diff_reports/xsd_v6.10_v7.0.html> in the upgrade to the new 7.0 Schema<https://cwe.mitre.org/data/xsd/cwe_schema_v7.0.xsd>. We are really excited about these releases, and we look forward to you diving into the 2023 CWE Top 25 and CWE Version 4.12. On behalf of the CWE Team, thank you for your continued support of the CWE Program! Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™ ––––––––––––––––––––––––––––––––––––