Persistent Software Weaknesses Highlighted by MITRE and the Role of Vulnerability Databases
MITRE’s 2025 CWE Top 25 Most Dangerous Software Weaknesses report reveals that foundational coding errors, such as cross-site scripting and SQL injection, continue to be the primary causes of real-world breaches. Despite advancements in security tools, DevSecOps practices, and increased awareness, the same core weaknesses are repeatedly exploited, underscoring a systemic failure to address root causes in software development. The report emphasizes that organizations focusing solely on patching individual CVEs without addressing underlying CWEs remain vulnerable to recurring threats, as these weaknesses represent the fundamental flaws attackers leverage most frequently.
Vulnerability databases play a critical role in cataloging known software vulnerabilities, but they are not comprehensive and often suffer from delayed updates and incomplete coverage. Transparency in vulnerability disclosure is essential for trust, yet many vulnerabilities remain unregistered due to complex reporting processes and disincentives for public disclosure. Security professionals are advised to use vulnerability databases as one tool among many, recognizing their limitations and the importance of proactive security testing and defense-in-depth strategies to mitigate risks from persistent software weaknesses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
MITRE publishes CWE Top 25 Most Dangerous Software Weaknesses for 2025
MITRE released its 2025 CWE Top 25 list, ranking the most dangerous software weaknesses based on analysis of nearly 40,000 CVEs from a one-year period. The report highlighted the continued prevalence of long-standing issues such as XSS, SQL injection, buffer overflows, authorization failures, file handling flaws, and deserialization bugs.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MITRE and CISA Release 2025 Top 25 Most Dangerous Software Weaknesses
MITRE, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the Homeland Security Systems Engineering and Development Institute (HSSEDI), has published the 2025 list of the Top 25 Most Dangerous Software Weaknesses. This annual ranking is based on the analysis of over 39,000 CVE records from June 2024 to June 2025, scoring each weakness by severity and frequency. The list highlights critical software flaws such as Cross-Site Scripting (CWE-79), SQL Injection (CWE-89), and Cross-Site Request Forgery (CWE-352), with notable changes in rankings and several new entries including various buffer overflows and improper access control issues. CISA emphasizes the importance of this list for organizations aiming to reduce vulnerabilities, improve cost efficiency by addressing weaknesses early in the software lifecycle, and strengthen trust through Secure by Design principles. The Top 25 serves as a guide for developers, product teams, and consumers to prioritize mitigation efforts, make informed purchasing decisions, and adopt secure engineering practices to protect against the most commonly exploited software weaknesses.
Mar 21, 2026
Supply Chain and Vulnerability Data Gaps Undermining Security Programs
A recent ISC2 survey of over 1,000 cybersecurity professionals highlights growing concern about the risks introduced by expanding vendor ecosystems and supply chain sprawl. Nearly 70% of organizations are worried about third-party supplier risks, with the highest concern in enterprises and sectors handling sensitive data such as finance and government. Lack of visibility into vendor and subcontractor security practices remains a critical challenge, with many organizations relying on trust rather than verification. One in three respondents reported experiencing a vendor-related security incident in the past two years, yet almost half did not feel a direct impact, raising questions about continuity and the reliability of vendor security claims. Compounding these risks, a Sonatype analysis reveals that the vulnerability scoring infrastructure, particularly the NVD and CVE programs, is failing to keep pace with modern software development practices. In 2025, 64% of open source CVEs lacked a CVSS score in the NVD, forcing security teams to make risk decisions with incomplete data. Discrepancies in severity ratings and significant delays—averaging six weeks between disclosure and scoring—undermine the effectiveness of automated security tools and response cycles. These gaps in both supply chain visibility and vulnerability intelligence are eroding confidence in the data that underpins security programs, increasing the likelihood of both missed threats and wasted resources.
May 6, 2026
Critical Vulnerabilities and Exploitation Trends in 2025
Security researchers highlighted several high-impact vulnerabilities that shaped the threat landscape in 2025, including unauthenticated remote code execution flaws in widely used platforms such as React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), PAN-OS (CVE-2025-0108), Cisco IOS XE (CVE-2025-20188), and Erlang/OTP SSH (CVE-2025-32433). These vulnerabilities were notable for their rapid exploitation following public disclosure, with attackers leveraging unauthenticated access and broad software reach to maximize impact. The year saw a shift in attacker focus, with perimeter devices and enterprise software becoming primary entry points, and defenders were forced to respond quickly as the window between disclosure and exploitation narrowed. In December 2025, Microsoft released one of its lightest Patch Tuesday updates, addressing 56 new CVEs. Despite the lower volume, security experts emphasized the importance of prioritizing vulnerabilities that were already exploited, publicly disclosed, or rated as critical with a high likelihood of exploitation. The analysis provided actionable intelligence for defenders, including technology-specific threat insights and resources for mitigating risk. The convergence of these trends underscored the need for rapid vulnerability management and highlighted recurring blind spots in enterprise defense strategies.
Mar 21, 2026