Four of those 'continuing to appear' CWEs contributed to 36 CVEs in KEV
listing
*CWEs in Top 25 List since 2009*
*CVEs in KEV*
CWE-20: Improper Input Validation
2
CWE-78: Improper Sanitization of Special Elements used in an OS Command
('OS Command Injection')
20
CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')
7
CWE-89: Failure to Preserve SQL Query Structure ('SQL Injection')
4
CWE-352: Cross-Site Request Forgery (CSRF)
0
Root Cause of:
36
It's unclear to me as to why CWE-352 Cross-Site Request Forgery (CSRF) was
not an attributable root cause of any CVEs in KEV.
...Joe
On Thu, Dec 11, 2025 at 10:30 PM SJ Jazz <[email protected]> wrote:
> Congratulations on publishing the 2025 CWE Top 25 Most Dangerous Software
> Weaknesses list. I like the background information.
>
> I have two observations that might merit some follow-up.
>
> 1) Seven of the Top 25 CWEs had no associated KEV; so some explanation
> should be offered as to why those seven CWEs are included. How did the
> scoring not factor in CISA’s KEV listing – what makes those CWEs noteworthy
> of being in the Top 25 if they have not been the root cause of any of the
> top known exploits?
>
> 2) Five of the 2025 Top 25 CWEs were on the 2009 Top 25 Most Dangerous
> Programming Errors list. Without use of a scoring system, that original Top
> 25 CWE list in 2009 reflected a consensus of vulnerability researchers. The
> 2009 Top 25 was organized into three high-level categories that contained
> multiple CWE entries. These five reoccurring CWEs are all in the category
> of “Insecure Interaction Between Components” [weaknesses related to
> insecure ways in which data is sent and received between separate
> components, modules, programs, processes, threads, or systems]:
> - CWE-20: Improper Input Validation
> - CWE-78: Improper Sanitization of Special Elements used in an OS Command
> ('OS Command Injection')
> - CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')
> - CWE-89: Failure to Preserve SQL Query Structure ('SQL Injection')
> - CWE-352: Cross-Site Request Forgery (CSRF)
> The continued appearance of these five CWEs as top contributors to
> exploitation should be cause of some concern. After 16 years of publicizing
> the top root causes of many known exploits the software industry continues
> to release software with those weaknesses. At what point does the
> occurrence of any of these five CWEs in software represent negligence?
> Perhaps some write-up about means to avoid these recurring weaknesses
> should be provided in the CWE website, even listing tools that could be
> used to identify these weaknesses before software is released.
>
> ...Joe
>
> ---------- Forwarded message ---------
> From: CISA <[email protected]>
> Date: Thu, Dec 11, 2025 at 2:05 PM
> Subject: 2025 CWE Top 25 Most Dangerous Software Weaknesses
> To: <[email protected]>
>
>
> [image: Cybersecurity and Infrastructure Security Agency (CISA)]
>
> You are subscribed to Cybersecurity Advisories for Cybersecurity and
> Infrastructure Security Agency. This information has recently been updated
> and is now available.
>
> 2025 CWE Top 25 Most Dangerous Software Weaknesses
> <https://www.cisa.gov/news-events/alerts/2025/12/11/2025-cwe-top-25-most-dangerous-software-weaknesses>
> 12/11/2025 3:00 PM EST
>
> The Cybersecurity and Infrastructure Security Agency (CISA), in
> collaboration with the Homeland Security Systems Engineering and
> Development Institute (HSSEDI), operated by the MITRE Corporation, has
> released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous
> Software Weaknesses <https://cwe.mitre.org/top25/>. This annual list
> identifies the most critical weaknesses adversaries exploit to compromise
> systems, steal data, or disrupt services.
>
> Prioritizing the weaknesses outlined in the Top 25 is integral to CISA’s
> Secure
> by Design <https://www.cisa.gov/securebydesign> and Secure by Demand
> <https://www.cisa.gov/resources-tools/resources/secure-demand-guide>
> initiatives, which promote building and procuring secure technology
> solutions. CISA and MITRE encourage organizations to review this list and
> use it to inform their respective software security strategies.
>
> The 2025 CWE Top 25:
>
> - *Supports Vulnerability Reduction*: By focusing on the Top 25,
> organizations can prioritize lifecycle changes, adopt safer architectural
> decisions, and reduce high-impact vulnerabilities related to injection,
> access control, and memory safety defects.
> - *Drives Cost Efficiencies*: Eliminating weaknesses early reduces
> downstream remediation; addressing them before deployment is more efficient
> and cost effective than patching, reconfiguring, or responding to emergency
> incidents.
> - *Strengthens Customer and Stakeholder Trust*: Transparent efforts to
> identify, mitigate, and monitor weaknesses demonstrate commitment to Secure
> by Design principles. Organizations that prioritize eliminating recurring
> weaknesses contribute to a safer software ecosystem.
> - *Promotes Consumer Awareness*: The Top 25 empowers consumers to
> understand underlying causes of common vulnerabilities, supports more
> informed purchasing decisions, and encourages adoption of products that
> follow robust security engineering practices.
>
> Recommendations for Stakeholders:
>
> - *For Developers and Product Teams*: Review the 2025 CWE Top 25 to
> identify high-priority weaknesses and adopt Secure by Design practices in
> development.
> - *For Security Teams*: Incorporate the Top 25 into vulnerability
> management and application security testing to assess and mitigate critical
> weaknesses.
> - *For Procurement and Risk Managers*: Use the Top 25 as a benchmark
> when evaluating vendors and apply Secure by Demand guidelines to ensure
> investment in secure products.
>
> By shining a light on the most dangerous software weaknesses, CISA and
> MITRE reinforce collective efforts to reduce vulnerabilities at the source,
> strengthen national cybersecurity, and improve long-term resilience. For
> details, refer to the 2025 CWE Top 25 <https://cwe.mitre.org/top25/>.
>
> This product is provided subject to this Notification
> <https://www.cisa.gov/notification> and this Privacy & Use
> <https://www.cisa.gov/privacy-policy> policy.
>
> Having trouble viewing this message? View it as a webpage
> <https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3ff772a>.
> <https://content.govdelivery.com/accounts/USDHS/bulletins/292141e>
>
> You are subscribed to updates from the Cybersecurity and Infrastructure
> Security Agency <https://www.cisa.gov> (CISA)
> Manage Subscriptions
> <https://public.govdelivery.com/accounts/USDHSCISA/subscriber/edit?preferences=true#tab1>
> | Privacy Policy <https://www.cisa.gov/privacy-policy> | Help
> <https://subscriberhelp.granicus.com/s/article/Subscriber-Help-Center>
> <https://insights.govdelivery.com/Communications/Subscriber_Help_Center>
>
> Connect with CISA:
> Facebook <https://www.facebook.com/CISA> | Twitter
> <https://twitter.com/CISAgov> | Instagram
> <https://Instagram.com/cisagov> | LinkedIn
> <https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency>
> | YouTube <https://www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A>
> ------------------------------
> This email was sent to [email protected] using GovDelivery
> Communications Cloud, on behalf of: Cybersecurity and Infrastructure
> Security Agency · 707 17th St, Suite 4000 · Denver, CO 80202 [image:
> GovDelivery logo] <https://subscriberhelp.granicus.com/>
>
>
> --
> Regards,
>
> Joe
>
> Joe Jarzombek
> C 703 627-4644
>
--
Regards,
Joe
Joe Jarzombek
C 703 627-4644
