2022 SANS/CWE Top 25 Most Dangerous Software Weaknesses

Welcome to the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). This list highlights the most common and impactful software weaknesses that can be easily exploited, leading to vulnerabilities that allow attackers to take control of systems, steal data, or disrupt applications.

The CWE Top 25 is a valuable resource for professionals in the software industry who are involved in architecture, design, development, testing, project management, security research, education, and standards development. It helps them understand and mitigate risks associated with these weaknesses.

To create this list, the CWE Team utilized data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE®) system. They also considered the Common Vulnerability Scoring System (CVSS) scores associated with each CVE Record, with a focus on records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. A scoring formula was applied to assess the prevalence and severity of each weakness.

The dataset used for the 2022 Top 25 analysis consisted of 37,899 CVE Records from the past two calendar years.

Below is a list of the weaknesses in the 2022 CWE Top 25, including the overall score of each. The KEV Count (CVEs) shows the number of CVE-2020/CVE-2021 Records from the CISA KEV list that were mapped to the given weakness.

Key Points

There have been significant shifts in the ranked positions of weakness types in this year's Top 25 list. Several weaknesses have dropped off the list or made their first appearance. The biggest upward movers include CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), CWE-94 (Improper Control of Generation of Code), CWE-400 (Uncontrolled Resource Consumption), CWE-77 (Improper Neutralization of Special Elements used in a Command), and CWE-476 (NULL Pointer Dereference). The biggest downward movers are CWE-306 (Missing Authentication for Critical Function), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-522 (Insufficiently Protected Credentials), and CWE-732 (Incorrect Permission Assignment for Critical Resource). Additionally, there are new entries in the Top 25, and some weaknesses have fallen off the list.

General Insight

The Top 25 list is transitioning towards more specific weaknesses at the Base level. The number of unique Class-level weaknesses is decreasing, while the percentage of mappings used to generate the list has also declined. The data from previous years shows a higher percentage of mappings to classes, but the focus has shifted towards more extensive analysis of Base-level weaknesses. The goal of the CWE Program is to provide greater specificity through Base-level weaknesses in the Top 25, as they are more informative and practical for mitigation. The shifts in the rankings can be attributed to the prioritization of remapping activities. For more information, refer to the "Remapping Task" section.

The table represents the changes in mappings and weaknesses from 2019 to 2022.

The 2022 CWE Top 25 list was compiled by analyzing public vulnerability data from the NVD. The data used for the list was obtained from the Known Exploited Vulnerabilities (KEV) Catalog, which was established in accordance with the Binding Operational Directive 22-01 by CISA in November 2021. The KEV Catalog serves as a reliable source of vulnerabilities that have been exploited in real-world situations.

To rank the weaknesses, a scoring formula was applied, taking into consideration the frequency of a CWE being the root cause of a vulnerability, as well as the average severity of the exploitation of those vulnerabilities as measured by CVSS. Both the frequency and severity metrics were normalized against the minimum and maximum values observed.

The resulting metrics, known as "NVD Count" and "Avg CVSS", present the frequency and average severity of each weakness, respectively.

The following table shows the 2022 CWE Top 25 List with relevant scoring information, including the number of entries related to a particular CWE within the NVD data set, and the average CVSS score for each vulnerability mapped to a specific weakness.

Per the scoring formula, the weaknesses in the following table were not severe enough or prevalent enough to be included in the 2022 CWE Top 25. However, individuals should still consider these weaknesses in their analyses as any weakness can become an exploitable vulnerability under the right conditions.

These entries dropped from the Top 25 in 2021 to the 'On the Cusp' list in 2022:

• CWE-732 (Incorrect Permission Assignment for Critical Resource): from #22 to #30
• CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): from #20 to #33
• CWE-522 (Insufficiently Protected Credentials): from #21 to #38

These entries are newly 'On the Cusp' in 2022:

• CWE-668 (Exposure of Resource to Wrong Sphere): from #53 to #32. It is not clear why such an increase has occurred since this is a class-level entry.
• CWE-312 (Cleartext Storage of Sensitive Information): from #41 to #40.
• CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')): new to the list at #34. This entry was recently added to CWE and NVD View-1003, so it was not mapped in previous years.

These entries were 'On the Cusp' in 2021 but have dropped out in 2022:

• CWE-770 (Allocation of Resources Without Limits or Throttling): from #40 to #42
• CWE-532 (Insertion of Sensitive Information into Log File): from #39 to #49
• CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')): from #30 to #55

To prepare the CVE/NVD data for analysis, the NVD entries were reviewed and the CWE mappings of these entries were "remapped" to the correct weakness, as appropriate. A "normalization" process converts selected weaknesses to the lowest-level CWE available in View-1003. For example, CWE-122: Heap-Based Buffer Overflow is not in View-1003, so it is "normalized" to its parent base-level weakness, CWE-787: Out-of-Bounds Write, which is in View-1003.

This year's remapping work was completed for 7,359 CVE Records in preparation for the 2022 Top 25 List. This year's analysis included CVE-2020-xxxx Records that had not been analyzed in 2021, as well as all CVE-2021-xxxx IDs that were published. This year's remappings were combined with 6,746 CVE-2020-xxxx remappings that had previously been done for 2021's Top 25, resulting in a total of 14,032 unique CVEs that were remapped across the last two years. This year's remapped data has been shared with NIST so that they can update their CVE Records within NVD.

The following is an overview of the process:

• Download a "snapshot" of NVD data from 2020 and 2021 and perform initial analysis. Snapshots were pulled several times in the ramp-up to the Top 25 publication, all of which introduced more CVE Records to analyze. In an attempt to start Top 25 remapping sooner than in previous years, the CWE Team obtained an initial snapshot on December 7, 2021 and used it for most remapping analyses until May. A final snapshot was downloaded on June 13, 2022 to generate the final Top 25 rankings. Any new CVEs found in the June 13, 2022 snapshot were not analyzed by the Top 25 team for consideration in the 2022 Top 25.

• As with previous years, a subset of all CVEs was automatically selected for remapping. Groups of approximately 50 CVEs were broken into "batches" that shared certain commonalities, e.g., buffer overflows, injection, or sources generally known to publish minimal details that are highly likely to produce an NVD entry with no mapping to the underlying CWE unless there is a reference from an independent third party. Top 25 Team members were assigned different batches based on their interest, relevant experience, expected complexity, and overall prioritization by team leads.

• In early rounds of remapping, batches were formed by performing automated keyword searches to suggest CVE Records that might have been incorrectly mapped. For example, some CVE Records were mapped to the higher-level CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), but phrases related to 'out-of-bounds read' were automatically discoverable within their CVE descriptions. In those cases, mapping to the lower level CWE-125 (Out-of-bounds Read) is considered more appropriate. If a keyword match suggested a CWE ID that was already mapped within NVD, then the match was not reviewed.

• The keyword matcher was extended to detect potential mappings for many more CWE entries, including some that had only been created in the past year or two. In 2021, a related matcher was created to look for actual names of CWE entries within CVE descriptions; it was surprisingly successful in 2022 as well, indicating adoption of CWE-based names, whether intentional or not.

• The highest-ranking classes were identified based on a snapshot calculation of the Top 25 using the original NVD data from December 7, then investigated more closely. There were six classes that appeared in an initial Top 25 calculation: CWE-20, CWE-269, CWE-200, CWE-284, CWE-119, and CWE-400. While four of these classes had already been seen in 2021, CWE-284 and CWE-400 were new. These "top 6" classes were added to a focus group and divided into batches.

• Additional subject areas were chosen for emphasis. This year's emphasis included access control, injection, cryptography/randomness, and remaining miscellaneous "high-level" classes that ranked from #26 to 50 in the snapshot (CWE-668 and CWE-755). Cryptography remaps had been investigated for the first time in 2021, so it seemed reasonable to reinvestigate for 2022. Access control was also targeted because of the prevalence of class-level access-control issues in the 2021 Top 25 and On the Cusp, as well as a suspicion that mappings would be inconsistent, which turned out to be true. Note: CWE-284 (the Pillar-level CWE for improper access control) had already been included in the focus group mentioned previously, so it was not part of this emphasis round. It should also be noted that CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - a child of the Pillar CWE-691: Insufficient Control Flow Management - was inadvertently omitted from this selection, although it ranked in the mid-30s in the initial snapshot.

• Deeper analysis was performed in areas suspected to have mapping inaccuracies, especially injection and access control. This typically involved looking more closely at references than in past years. For example, analysis in 2021 and earlier years showed that mappings to CWE-74 and CWE-77 had a good chance of being more precisely related to CWE-78 when analyzing references. This pattern was also seen in 2022.

• Categories were not separately remapped, as there were few CVEs remaining that still mapped to categories. However, they were often included in other groups such as cryptography or keyword matches. It should be noted that some CNA sources still used categories in 2022 data.

• The manual mapping process was improved with automated tooling and annotations. These improvements included automated syntax checks for manually-edited remapping reports provided by analysts, automated scraping of reference URLs for CWE IDs and keyword matches, and support for shifting CVE Records between different "analysis batches" to deprioritize or reassign CVEs that presented more complex analysis challenges.

• Detailed mapping guidance was created or enhanced for groups of related weaknesses and commonly-encountered mapping errors. These went into a greater level of detail than the publicly-available CWE Mapping Guidance.

Despite efforts to minimize subjectivity in the remapping corrections, the lack of relevant, detailed information present in some CVE descriptions meant that a small portion of the dataset still required some subjective analytical conclusions.

In previous years, at the same time as the Top 25 release, the CWE-1003 view was also modified to ensure that it could still provide coverage for the most common CWE mappings. This created additional technical complexity for both NIST and the CWE Top 25 Team. In October 2021's release of CWE 4.6, View-1003 was updated to include CWE-1321, which was originally published in August 2020 and is a new entry to On the Cusp this year. However, View-1003 has not been updated for CWE 4.8. The CWE Team may update View-1003 for the CWE 4.9 release in Fall 2022.

Significant Changes to the Remapping Task in 2022:

• Integrating CVMAP data from NVD into mapping analysis. NVD's CVMAP program allows CVE Numbering Authorities (CNAs) to submit their own CWE mappings for CVE Records within their purview. Top 25 analysts integrated these mappings as additional data points for remapping. CNA mappings were chosen in cases where there was insufficient detail to perform deeper analysis.

• Analysts could represent chaining relationships between CWEs within a single vulnerability. This provided valuable insights and real-world examples for how chains could be represented for vulnerabilities in the future.

• A process was defined to de-prioritize complex CVEs that were too time-consuming to analyze. These complex CVEs were labeled "TODO" and were later resolved by experienced analysts or delayed for potential re-analysis next year. This de-prioritization allowed analysts to focus on finishing CVEs with greater benefit to NVD / CNA analysts, as well as analyzing CWEs near the bottom of the Top 25 or near the top of the On the Cusp.

Remapping the CISA KEV Catalog:

The Top 25 team downloaded KEV data on June 4, 2022. The remaining KEV records were remapped, including CVEs with keyword matches that were already consistent with NVD's own mappings. 10 CVEs were not fully remapped, so they inherited the original NVD mappings for the analysis. The remapped KEV data set was then analyzed.

• 53 CVEs (20%) did not have sufficient details to conduct a remapping analysis, i.e., they were mapped to NVD-CWE-noinfo.

• A custom Top-N list was created using Top 25 methodology, drawing from this limited set of 270 CVEs. The rankings in the KEV list differed widely from the overall list.

• 5 CWEs from the original Top 25 fell below rank 25 on the KEV list, and 4 CWEs did not have any associated CVEs at all.

Limitations of the Remapping Task:

After using this remapping methodology for the Top 25 lists from 2019 through 2022, some limitations have become apparent:

• The number of CVEs with high-level CWE entries remains high, forcing manual remapping of many CVEs, which is labor-intensive.

• When remapping is performed over a short time frame before publication of the list, this increases timing and staffing pressures on Top 25 analysts during this period.

• The lack of relevant details for many CVEs continues to introduce time-consuming analysis and variability in mapping results, combined with increasing preference to analyze references more closely.

• Even within the CWE Top 25 Team itself, different analysts can be inconsistent in which CWE mappings they choose for the same CVE, especially for vulnerabilities that do not have very clear phrasing about the weakness.

In the future, the remapping task might be changed to eliminate or mitigate these limitations.

Over the years, the CWE Team has identified certain CWEs that are problematic in terms of their appropriateness and lack of sufficient details. These problematic CWEs make it challenging to accurately evaluate the reduction of certain weaknesses as new, less common weaknesses emerge. Consequently, the presence of these problematic CWEs can significantly impact rankings within the Top 25 or any other CWE-based list.

Although the Top 25 Team has not conducted a formal data analysis on the most misused CWEs identified through remapping, the following CWEs have been highlighted as particularly problematic:

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-269: Improper Privilege Management
• CWE-732: Incorrect Permission Assignment for Critical Resource
• CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
• CWE-284: Improper Access Control
• CWE-668: Exposure of Resource to Wrong Sphere
• CWE-20: Improper Input Validation.

Graphs of trends in the Top 25 rankings from 2019 to 2022 are presented below. Please note that the data includes CVE-2017-xxxx to CVE-2021-xxxx, as each annual Top 25 list uses a 2-year sliding window.

• Some drops in rankings occur due to changes in View-1003 and/or more focused analysis. For example, in 2019, the Top 25 Team focused on handling mappings to categories and did not consider all classes.

• Over the past four years, the analysis of re-mapping has yielded valuable insights by discovering more granular mappings. The CWE Team has collaborated with the NIST NVD Analysis Team, the CNA, and the vendor community to achieve base-level weaknesses, which is evident in this year's list.