OWASP Top 10 2025 Release and Key Changes
The Open Worldwide Application Security Project (OWASP) unveiled the 2025 edition of its Top 10 list of critical risks to web applications at the Global AppSec conference in Washington, D.C. This update, the first since 2021, reflects a significant shift in focus from individual code-level vulnerabilities to broader, systemic risks. Notable changes include the merging and redefinition of previous categories, the elevation of Security Misconfiguration to the second position, and the introduction of a new risk: "Mishandling of Exceptional Conditions." The list is the result of a community-driven process involving extensive data analysis and industry feedback, and is intended as a starting point for organizations to build robust security programs.
Industry experts highlight that the 2025 Top 10 is now more aligned with the concerns of CISOs and security leaders, emphasizing risks such as software supply chain failures and security misconfigurations. The inclusion of these categories reflects the growing importance of third-party software and deployment practices in the modern threat landscape. While the list serves as a guide for prioritizing risk, it is not meant to be a compliance checklist but rather a strategic tool for organizations to address the most pressing security challenges in web application development and deployment.
Sources
1 more from sources like resilient cyber blog
Related Stories
MITRE and CISA Release 2025 Top 25 Most Dangerous Software Weaknesses
MITRE, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the Homeland Security Systems Engineering and Development Institute (HSSEDI), has published the 2025 list of the Top 25 Most Dangerous Software Weaknesses. This annual ranking is based on the analysis of over 39,000 CVE records from June 2024 to June 2025, scoring each weakness by severity and frequency. The list highlights critical software flaws such as Cross-Site Scripting (CWE-79), SQL Injection (CWE-89), and Cross-Site Request Forgery (CWE-352), with notable changes in rankings and several new entries including various buffer overflows and improper access control issues. CISA emphasizes the importance of this list for organizations aiming to reduce vulnerabilities, improve cost efficiency by addressing weaknesses early in the software lifecycle, and strengthen trust through Secure by Design principles. The Top 25 serves as a guide for developers, product teams, and consumers to prioritize mitigation efforts, make informed purchasing decisions, and adopt secure engineering practices to protect against the most commonly exploited software weaknesses.
3 months agoCritical Vulnerabilities and Exploitation Trends in 2025
Security researchers highlighted several high-impact vulnerabilities that shaped the threat landscape in 2025, including unauthenticated remote code execution flaws in widely used platforms such as React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), PAN-OS (CVE-2025-0108), Cisco IOS XE (CVE-2025-20188), and Erlang/OTP SSH (CVE-2025-32433). These vulnerabilities were notable for their rapid exploitation following public disclosure, with attackers leveraging unauthenticated access and broad software reach to maximize impact. The year saw a shift in attacker focus, with perimeter devices and enterprise software becoming primary entry points, and defenders were forced to respond quickly as the window between disclosure and exploitation narrowed. In December 2025, Microsoft released one of its lightest Patch Tuesday updates, addressing 56 new CVEs. Despite the lower volume, security experts emphasized the importance of prioritizing vulnerabilities that were already exploited, publicly disclosed, or rated as critical with a high likelihood of exploitation. The analysis provided actionable intelligence for defenders, including technology-specific threat insights and resources for mitigating risk. The convergence of these trends underscored the need for rapid vulnerability management and highlighted recurring blind spots in enterprise defense strategies.
2 months agoOWASP Releases Top Ten Security Threats for AI Agents
The Open Web Application Security Project (OWASP) has officially published its inaugural list of the top ten security threats facing agentic artificial intelligence (AI) applications. Announced at Black Hat Europe 2025, the list highlights risks such as agent goal hijacking, privilege abuse, unexpected code execution, insecure inter-agent communication, and memory/context poisoning. Alongside the list, OWASP released governance and security guides for AI agents, a visual risk map for open-source and commercial agentic AI tools, and a Capture The Flag application (FinBot) to help cybersecurity teams practice defending against these threats. The initiative aims to help organizations understand and mitigate the rapidly expanding attack surface introduced by the proliferation of AI agents across enterprise environments. Industry experts, including members of the Agentic Security Initiative (ASI) Distinguished Review Board, have emphasized the significance of this release, noting the growing adoption of agentic AI in sectors such as GRC, AppSec, and SecOps, as well as its exploitation by malicious actors. The OWASP Top 10 for Agentic Applications is positioned as a foundational resource for security leaders, developers, and practitioners to assess and address the unique risks posed by autonomous AI agents, supplementing previous OWASP projects focused on web applications and large language models. The publication is expected to drive further research, awareness, and best practices in securing agentic AI systems as their use becomes more widespread.
3 months ago