Modern software security is not primarily broken by exotic zero-days. It is broken—repeatedly—by the same classes of preventable engineering mistakes.
That is why the SANS / MITRE CWE Top 25 Most Dangerous Software Weaknesses matters.
Published annually by MITRE and promoted heavily through SANS, the Top 25 is a data-driven ranking of the software weaknesses most commonly associated with real-world vulnerabilities, weighted by frequency, severity, and exploitability. The 2024/2025 rankings are based on tens of thousands of CVEs and are intended to help organizations prioritize secure development efforts. (CWE)
This article serves as the introduction to a series where we will examine each weakness in detail.
Why the Top 25 Matters
The Top 25 is valuable because it helps developers focus on the flaws that matter most:
- High prevalence – These weaknesses appear constantly in production code.
- High exploitability – Attackers know how to find and weaponize them.
- High impact – Many enable RCE, privilege escalation, data theft, or full compromise.
- Training prioritization – They provide a roadmap for secure coding education.
- Tool alignment – SAST/DAST/IAST and code review processes often map directly to them.
MITRE explicitly describes these weaknesses as the most common and impactful software flaws found in modern CVE data, often leading to total system compromise or major data exposure. (CWE)
Visual: The Top 25 at a Glance
| Rank | ID | Name | Score | CVEs in KEV | Rank Change vs. 2024 |
|---|---|---|---|---|---|
| 1 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 60.38 | 7 | 0 |
| 2 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 28.72 | 4 | +1 |
| 3 | CWE-352 | Cross-Site Request Forgery (CSRF) | 13.64 | 0 | +1 |
| 4 | CWE-862 | Missing Authorization | 13.28 | 0 | +5 |
| 5 | CWE-787 | Out-of-bounds Write | 12.68 | 12 | -3 |
| 6 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 8.99 | 10 | -1 |
| 7 | CWE-416 | Use After Free | 8.47 | 14 | +1 |
| 8 | CWE-125 | Out-of-bounds Read | 7.88 | 3 | -2 |
| 9 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 7.85 | 20 | -2 |
| 10 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 7.57 | 7 | +1 |
| 11 | CWE-120 | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) | 6.96 | 0 | N/A |
| 12 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 6.87 | 4 | -2 |
| 13 | CWE-476 | NULL Pointer Dereference | 6.41 | 0 | +8 |
| 14 | CWE-121 | Stack-based Buffer Overflow | 5.75 | 4 | N/A |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.23 | 11 | +1 |
| 16 | CWE-122 | Heap-based Buffer Overflow | 5.21 | 6 | N/A |
| 17 | CWE-863 | Incorrect Authorization | 4.14 | 4 | +1 |
| 18 | CWE-20 | Improper Input Validation | 4.09 | 2 | -6 |
| 19 | CWE-284 | Improper Access Control | 4.07 | 1 | N/A |
| 20 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 4.01 | 1 | -3 |
| 21 | CWE-306 | Missing Authentication for Critical Function | 3.47 | 11 | +4 |
| 22 | CWE-918 | Server-Side Request Forgery (SSRF) | 3.36 | 0 | -3 |
| 23 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 3.15 | 2 | -10 |
| 24 | CWE-639 | Authorization Bypass Through User-Controlled Key | 2.62 | 0 | +6 |
| 25 | CWE-770 | Allocation of Resources Without Limits or Throttling | 2.54 | 0 | +1 |
The SANS / CWE Top 25 Summary
1. CWE-79 — Cross-Site Scripting (XSS)
Risk: Attackers inject JavaScript into web pages viewed by other users.
Impact: Session theft, account takeover, phishing, browser exploitation.
Prevalence: Extremely common; consistently near the top of the list.
2. CWE-787 — Out-of-Bounds Write
Risk: Writing outside allocated memory.
Impact: Memory corruption, crashes, remote code execution.
Prevalence: Dominant in memory-unsafe languages like C/C++.
3. CWE-89 — SQL Injection
Risk: Unsanitized input modifies SQL queries.
Impact: Data theft, authentication bypass, full database compromise.
Prevalence: One of the oldest and still most exploited web flaws.
4. CWE-352 — Cross-Site Request Forgery (CSRF)
Risk: Tricks authenticated users into performing unintended actions.
Impact: Unauthorized transactions/account changes.
Prevalence: Common in stateful web apps without CSRF protections.
5. CWE-22 — Path Traversal
Risk: Manipulating file paths to escape intended directories.
Impact: Arbitrary file read/write, config theft, RCE.
Prevalence: Frequent in file upload/download features.
6. CWE-125 — Out-of-Bounds Read
Risk: Reading memory beyond intended bounds.
Impact: Information disclosure, ASLR bypass, crash.
Prevalence: Common in low-level/native code.
7. CWE-78 — OS Command Injection
Risk: User input reaches shell/system commands.
Impact: Full server compromise / RCE.
Prevalence: Common in poorly designed wrappers/automation tools.
8. CWE-416 — Use After Free
Risk: Accessing memory after deallocation.
Impact: Memory corruption, RCE.
Prevalence: Major source of browser/kernel exploits.
9. CWE-862 — Missing Authorization
Risk: Functionality accessible without permission checks.
Impact: Privilege escalation / data access.
Prevalence: Extremely common in APIs/microservices.
10. CWE-434 — Unrestricted File Upload
Risk: Dangerous file types uploaded/executed.
Impact: Web shell deployment, malware hosting, RCE.
Prevalence: Common in CMS/admin panels.
11. CWE-94 — Code Injection
Risk: Attacker influences generated/interpreted code.
Impact: Arbitrary code execution.
Prevalence: Serious but less common than SQL/command injection.
12. CWE-20 — Improper Input Validation
Risk: Input not validated for type/range/format.
Impact: Gateway weakness enabling many other CWEs.
Prevalence: Nearly universal root cause category.
13. CWE-77 — Command Injection (Generic)
Risk: Improper neutralization in command contexts.
Impact: Arbitrary system command execution.
Prevalence: Common in scripts and orchestration tooling.
14. CWE-287 — Improper Authentication
Risk: Authentication mechanisms flawed or bypassable.
Impact: Unauthorized access/account takeover.
Prevalence: Common in custom auth implementations.
15. CWE-269 — Improper Privilege Management
Risk: Incorrect privilege assignments/elevation.
Impact: Escalation to admin/root/system.
Prevalence: Common in enterprise/internal apps.
16. CWE-502 — Deserialization of Untrusted Data
Risk: Unsafe object deserialization.
Impact: RCE, logic abuse, data tampering.
Prevalence: Frequent in Java/.NET/PHP ecosystems.
17. CWE-200 — Sensitive Information Exposure
Risk: Confidential data exposed unintentionally.
Impact: Credential leakage, PII breach, recon.
Prevalence: Extremely widespread.
18. CWE-863 — Incorrect Authorization
Risk: Authorization checks exist but are flawed.
Impact: Horizontal/vertical privilege escalation.
Prevalence: Common in RBAC/ABAC implementations.
19. CWE-918 — Server-Side Request Forgery (SSRF)
Risk: Server tricked into making attacker-controlled requests.
Impact: Cloud metadata theft, internal pivoting, RCE.
Prevalence: Increasing in cloud-native architectures.
20. CWE-119 — Improper Restriction of Buffer Bounds
Risk: Generic buffer overflow/underflow issues.
Impact: Memory corruption / RCE.
Prevalence: Persistent in native codebases.
21. CWE-476 — NULL Pointer Dereference
Risk: Dereferencing null pointers.
Impact: Crashes / denial of service.
Prevalence: Common coding defect; lower exploitability than others.
22. CWE-798 — Hard-Coded Credentials
Risk: Secrets embedded in code/binaries.
Impact: Credential theft / unauthorized access.
Prevalence: Common in internal tooling, IoT, legacy apps.
23. CWE-190 — Integer Overflow / Wraparound
Risk: Numeric values exceed storage limits.
Impact: Logic bypass, memory corruption, DoS.
Prevalence: Frequent in systems/native code.
24. CWE-400 — Uncontrolled Resource Consumption
Risk: No limits on memory/CPU/disk/network usage.
Impact: Denial of service.
Prevalence: Common in APIs and parsing routines.
25. CWE-306 — Missing Authentication for Critical Function
Risk: Sensitive functionality exposed without authentication.
Impact: Unauthorized admin/privileged actions.
Prevalence: Common in internal/admin/debug endpoints.
Key Themes Developers Should Notice
Several patterns emerge from the Top 25:
Input Handling Failures
Many of the Top 25 stem from untrusted input reaching dangerous sinks:
- XSS
- SQLi
- Command Injection
- Code Injection
- SSRF
Broken Access Control
Authorization/authentication flaws remain endemic:
- Missing Authorization
- Incorrect Authorization
- Improper Authentication
- Missing Authentication
Memory Safety Failures
Unsafe memory management still dominates severe RCE chains:
- Out-of-Bounds Write
- Use After Free
- Buffer Restrictions
- Integer Overflow
Unsafe Defaults / Operational Mistakes
Security often fails in design rather than implementation:
- Hard-Coded Credentials
- Dangerous File Uploads
- Sensitive Data Exposure
Final Thoughts
The SANS/CWE Top 25 is not just a vulnerability list—it is a map of the industry’s recurring engineering failures.
If your development team can systematically eliminate these 25 weakness classes:
- Your attack surface shrinks dramatically
- Your vulnerability backlog drops materially
- Your secur SDLC becomes measurable and defensible
Most organizations do not suffer breaches because of unknown attack techniques.
They suffer breaches because one of these 25 mistakes made it into production.
Coming Next in This Series
In a future article, we will begin with CWE-79: Cross-Site Scripting (XSS) and break down:
- How XSS actually works
- Why developers still get it wrong
- Modern exploitation techniques
- Framework-specific mitigations
- Secure coding examples
Sources
- MITRE CWE Top 25 Most Dangerous Software Weaknesses (CWE)
- SANS Top 25 Software Errors Overview (SANS Institute)
