Mitre has released its rundown of the most widespread and critical vulnerabilities in software, many of which are easy to find and can be exploited by cyber criminals to take over systems, steal data or crash applications and even computers.

The 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses details the most common and most impactful security issues.  

The list is based on published Common Vulnerabilities and Exposures (CVE) data, as well as data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores of the CVEs. 

Top of the list with the highest score by some margin is CWE-787: Out-of-bounds Write, a vulnerability where software writes past the end, or before the beginning, of the intended buffer. Like many of the vulnerabilities in the list this can lead to corruption of data and crashing systems, as well as the ability for attackers to execute code. 

“These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working,” Mitre said in a blog post. 

Mitre Corporation is an US non-for-profit organisation behind the MITRE ATT&CK framework – a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Second in the list is CWE-79: Improper Neutralization of Input During Web Page Generation, a cross-site scripting vulnerability which doesn’t correctly neutralise inputs before being placed as outputs on a website. This can lead to attackers being able to inject malicious script and allow them to steal sensitive information and send other malicious requests, particularly if they able to gain administrator privileges. 

Third in the list is CWE-125: Out-of-bounds Read, a vulnerability which can allow attackers read sensitive information from other memory locations or cause a crash.

While many of the vulnerabilities are potentially very damaging if they’re discovered and exploited by cyber criminals, the weaknesses can often be countered, particularly for those for which a security patch is available. Applying security patches to fix known vulnerabilities is one of the key things that organisations can do to help protect their networks from cyber attacks and intrusions. 

The 2021 CWE Top 25 uses NVD data from the years 2019 and 2020, which consists of approximately 32,500 CVEs that are associated with a weakness. The full list is available on the CWE website.

MORE ON CYBERSECURITY