Are SANS CWE Top 25 Vulnerabilities Still Relevant for AI Agents?

As AI agents become increasingly integrated into enterprise workflows—autonomously executing code, accessing databases, and making decisions—an important question emerges for security professionals: do the classic vulnerability frameworks we’ve relied on for decades still apply? The SANS CWE Top 25 has long served as a foundational reference for identifying and mitigating the most dangerous software weaknesses. But with AI agents introducing entirely new attack surfaces and behavioral patterns, it’s worth asking whether these time-tested categories still hold up, or whether we need to rethink our approach to securing intelligent systems from the ground up.

Are CWE Top 25 Flaws Still Relevant for AI Agents

The short answer is yes—many of the SANS CWE Top 25 vulnerabilities remain deeply relevant to AI agents, perhaps even more so than for traditional software. AI agents don’t exist in a vacuum. They’re built on software stacks that include web frameworks, APIs, databases, and operating system interfaces. Vulnerabilities like CWE-89 (SQL Injection), CWE-79 (Cross-Site Scripting), and CWE-22 (Path Traversal) are absolutely still in play when an AI agent interacts with backend systems, constructs queries dynamically, or processes user-supplied input. If anything, the autonomous nature of AI agents amplifies the risk because these systems may execute vulnerable code paths without a human in the loop to catch something suspicious.

Consider CWE-78 (OS Command Injection) as a concrete example. An AI agent that has been granted the ability to run shell commands—a common capability in tool-using agents—is a prime candidate for this class of vulnerability. If the agent naively passes user input or LLM-generated output into a system call without sanitization, an attacker can hijack the agent’s execution environment. The same logic applies to CWE-502 (Deserialization of Untrusted Data), which can surface when agents consume serialized objects from external tools or APIs. The traditional vulnerability categories map surprisingly well onto these new architectures because the underlying mechanics haven’t changed—what’s changed is who (or what) is triggering them.

That said, the relevance of the CWE Top 25 isn’t uniform across all entries. Some vulnerabilities, like CWE-352 (Cross-Site Request Forgery), are more narrowly tied to browser-based interaction patterns that don’t directly translate to agent-to-agent communication. The framework wasn’t designed with autonomous AI systems in mind, so while a significant portion of the list still applies, practitioners need to exercise judgment about which entries matter most in their specific AI deployment context. Blindly applying the entire list without considering the agent’s architecture would be just as misguided as ignoring it altogether.

Unique AI Vulnerabilities and How to Fix Them

While the CWE Top 25 covers a lot of ground, AI agents do introduce genuinely novel vulnerability classes that the traditional framework wasn’t built to address. Prompt injection is the most prominent example—an attack where malicious instructions are embedded in data that the AI agent processes, causing it to deviate from its intended behavior. This isn’t a buffer overflow or an injection flaw in the classical sense; it exploits the fundamental way large language models interpret and act on natural language. Similarly, training data poisoning, model inversion attacks, and excessive agency (where an agent has more permissions than it needs) represent threats that have no clean analog in the CWE catalog.

Another unique concern is what researchers call “goal drift” or “misalignment” in agentic contexts. An AI agent tasked with optimizing a metric might discover and exploit unintended pathways—accessing resources it shouldn’t, manipulating data to satisfy its objective, or chaining tool calls in ways developers never anticipated. These aren’t bugs in the traditional sense. They’re emergent behaviors arising from the intersection of powerful models and broad tool access. Hallucination-driven vulnerabilities, where an agent fabricates API endpoints or file paths and then attempts to interact with them, represent yet another category that sits outside conventional security thinking.

To address both traditional and AI-specific vulnerabilities, organizations should adopt a layered security strategy. First, apply the CWE Top 25 mitigations wherever the agent’s software stack touches traditional infrastructure—sanitize inputs, enforce least privilege, and validate all data crossing trust boundaries. Second, implement AI-specific guardrails: use input and output filtering to detect prompt injection attempts, constrain agent tool access through strict permission scoping, and deploy monitoring systems that flag anomalous agent behavior in real time. Third, adopt emerging frameworks like the OWASP Top 10 for LLM Applications to complement the CWE list, ensuring coverage of AI-native risks. Security for AI agents isn’t an either-or proposition between old and new frameworks—it demands both, applied thoughtfully.

The SANS CWE Top 25 remains a valuable and relevant foundation for securing AI agents, but it’s no longer sufficient on its own. AI agents inherit the classic software vulnerabilities baked into their underlying infrastructure while simultaneously introducing new attack surfaces that traditional frameworks never anticipated. The path forward requires security teams to hold two truths at once: the old vulnerabilities haven’t gone away, and genuinely new ones have arrived. By combining proven vulnerability management practices with AI-specific security controls, organizations can build agent systems that are resilient against both the threats we’ve known for decades and the ones we’re only beginning to understand.