OWASP Top 10 2025 Release and Key Changes
The Open Worldwide Application Security Project (OWASP) unveiled the 2025 edition of its Top 10 list of critical risks to web applications at the Global AppSec conference in Washington, D.C. This update, the first since 2021, reflects a significant shift in focus from individual code-level vulnerabilities to broader, systemic risks. Notable changes include the merging and redefinition of previous categories, the elevation of Security Misconfiguration to the second position, and the introduction of a new risk: "Mishandling of Exceptional Conditions." The list is the result of a community-driven process involving extensive data analysis and industry feedback, and is intended as a starting point for organizations to build robust security programs.
Industry experts highlight that the 2025 Top 10 is now more aligned with the concerns of CISOs and security leaders, emphasizing risks such as software supply chain failures and security misconfigurations. The inclusion of these categories reflects the growing importance of third-party software and deployment practices in the modern threat landscape. While the list serves as a guide for prioritizing risk, it is not meant to be a compliance checklist but rather a strategic tool for organizations to address the most pressing security challenges in web application development and deployment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
OWASP confirms broken access control remains the top risk
Subsequent reporting on the 2025 update emphasized that broken access control continued to hold the top position in the OWASP Top 10. This reinforced continuity in the highest-ranked application security issue despite other changes to the list.
OWASP 2025 Top 10 adds software supply chain failures
Coverage of the 2025 list noted that software supply chain failures were added as a new category and described as a leading community concern. Multiple reports highlighted this as one of the most significant changes in the updated rankings.
OWASP releases the 2025 Top 10 application security risks list
OWASP published its 2025 Top 10 update for application security risks, a revised ranking highlighted across multiple reports and conference coverage. The update modernized the list and reflected current risk trends in software and web application security.
Sources
6 references tracked. Mallory keeps watching after this page renders.
OWASP Top 10: Broken access control still tops app security list
go.theregister.com
Open sourceOWASP Highlights Supply Chain Risks in New Top 10
darkreading.com
Open sourceOWASP 2025 Top 10 Adds Software Supply Chain Failures, Ranked Top Community Concern
socket.dev
Open sourceOWASP Global AppSec conference: The new Top 10 list
scworld.com
Open sourceComparing the OWASP Top 10 2025 with Real-World Pentest Data
cobalt.io
Open sourceThe OWASP Top 10 Gets Modernized
resilientcyber.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MITRE and CISA Release 2025 Top 25 Most Dangerous Software Weaknesses
MITRE, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the Homeland Security Systems Engineering and Development Institute (HSSEDI), has published the 2025 list of the Top 25 Most Dangerous Software Weaknesses. This annual ranking is based on the analysis of over 39,000 CVE records from June 2024 to June 2025, scoring each weakness by severity and frequency. The list highlights critical software flaws such as Cross-Site Scripting (CWE-79), SQL Injection (CWE-89), and Cross-Site Request Forgery (CWE-352), with notable changes in rankings and several new entries including various buffer overflows and improper access control issues. CISA emphasizes the importance of this list for organizations aiming to reduce vulnerabilities, improve cost efficiency by addressing weaknesses early in the software lifecycle, and strengthen trust through Secure by Design principles. The Top 25 serves as a guide for developers, product teams, and consumers to prioritize mitigation efforts, make informed purchasing decisions, and adopt secure engineering practices to protect against the most commonly exploited software weaknesses.
Mar 21, 2026
Critical Vulnerabilities and Exploitation Trends in 2025
Security researchers highlighted several high-impact vulnerabilities that shaped the threat landscape in 2025, including unauthenticated remote code execution flaws in widely used platforms such as React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), PAN-OS (CVE-2025-0108), Cisco IOS XE (CVE-2025-20188), and Erlang/OTP SSH (CVE-2025-32433). These vulnerabilities were notable for their rapid exploitation following public disclosure, with attackers leveraging unauthenticated access and broad software reach to maximize impact. The year saw a shift in attacker focus, with perimeter devices and enterprise software becoming primary entry points, and defenders were forced to respond quickly as the window between disclosure and exploitation narrowed. In December 2025, Microsoft released one of its lightest Patch Tuesday updates, addressing 56 new CVEs. Despite the lower volume, security experts emphasized the importance of prioritizing vulnerabilities that were already exploited, publicly disclosed, or rated as critical with a high likelihood of exploitation. The analysis provided actionable intelligence for defenders, including technology-specific threat insights and resources for mitigating risk. The convergence of these trends underscored the need for rapid vulnerability management and highlighted recurring blind spots in enterprise defense strategies.
Mar 21, 2026
OWASP Releases Top Ten Security Threats for AI Agents
The Open Web Application Security Project (OWASP) has officially published its inaugural list of the top ten security threats facing agentic artificial intelligence (AI) applications. Announced at Black Hat Europe 2025, the list highlights risks such as agent goal hijacking, privilege abuse, unexpected code execution, insecure inter-agent communication, and memory/context poisoning. Alongside the list, OWASP released governance and security guides for AI agents, a visual risk map for open-source and commercial agentic AI tools, and a Capture The Flag application (FinBot) to help cybersecurity teams practice defending against these threats. The initiative aims to help organizations understand and mitigate the rapidly expanding attack surface introduced by the proliferation of AI agents across enterprise environments. Industry experts, including members of the Agentic Security Initiative (ASI) Distinguished Review Board, have emphasized the significance of this release, noting the growing adoption of agentic AI in sectors such as GRC, AppSec, and SecOps, as well as its exploitation by malicious actors. The OWASP Top 10 for Agentic Applications is positioned as a foundational resource for security leaders, developers, and practitioners to assess and address the unique risks posed by autonomous AI agents, supplementing previous OWASP projects focused on web applications and large language models. The publication is expected to drive further research, awareness, and best practices in securing agentic AI systems as their use becomes more widespread.
Mar 21, 2026