Detecting and Mitigating Active Directory Kerberoasting
September 29, 2024
This list demonstrates the currently most common and impactful software weaknesses. Common Weakness Enumeration (CWE™) top 25 most dangerous software weaknesses list CWE Top 25 for 2024.
The 2024 CWE Top 25 is not only a valuable resource for developers and security professionals, but it also serves as a strategic guide for organizations aiming to make informed decisions in software, security, and risk management investments. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.
| Rank | ID | Name | Score | CVEs in KEV | Rank Change vs. 2023 |
|---|---|---|---|---|---|
| 1 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 56.92 | 3 | +1 |
| 2 | CWE-787 | Out-of-bounds Write | 45.20 | 18 | -1 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 35.88 | 4 | 0 |
| 4 | CWE-352 | Cross-Site Request Forgery (CSRF) | 19.57 | 0 | +5 |
| 5 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 12.74 | 4 | +3 |
| 6 | CWE-125 | Out-of-bounds Read | 11.42 | 3 | +1 |
| 7 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 11.30 | 5 | -2 |
| 8 | CWE-416 | Use After Free | 10.19 | 5 | -4 |
| 9 | CWE-862 | Missing Authorization | 10.11 | 0 | +2 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.03 | 0 | 0 |
| 11 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 7.13 | 7 | +12 |
| 12 | CWE-20 | Improper Input Validation | 6.78 | 1 | -6 |
| 13 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 6.74 | 4 | +3 |
| 14 | CWE-287 | Improper Authentication | 5.94 | 4 | -1 |
| 15 | CWE-269 | Improper Privilege Management | 5.22 | 0 | +7 |
| 16 | CWE-502 | Deserialization of Untrusted Data | 5.07 | 5 | -1 |
| 17 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 5.07 | 0 | +13 |
| 18 | CWE-863 | Incorrect Authorization | 4.05 | 2 | +6 |
| 19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.05 | 2 | 0 |
| 20 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 3.69 | 2 | -3 |
| 21 | CWE-476 | NULL Pointer Dereference | 3.58 | 0 | -9 |
| 22 | CWE-798 | Use of Hard-coded Credentials | 3.46 | 2 | -4 |
| 23 | CWE-190 | Integer Overflow or Wraparound | 3.37 | 3 | -9 |
| 24 | CWE-400 | Uncontrolled Resource Consumption | 3.23 | 0 | +13 |
| 25 | CWE-306 | Missing Authentication for Critical Function | 2.73 | 5 | -5 |
2024 CWE Top 25 Methodology
The “2024 CWE Top 25 Most Dangerous Software Weaknesses” list was calculated by analyzing public vulnerability information in Common Vulnerabilities and Exposures (CVE®) Records for CWE root cause mappings.
This year’s dataset included 31,770 CVE Records for vulnerabilities published between June 1, 2023 and June 1, 2024. Data was initially pulled on July 30, 2024, to share with CNA community partners for review. Data was pulled again on November 4, 2024, to ensure the most up to date CVE Records information was used in the Top 25 list calculations.
The initial Top 25 dataset comprised all CVE-2023-* and CVE-2024-* published between June 1, 2023, and June 1, 2024. The CVE Records were analyzed via automated scanning to identify those that would benefit from re-mapping analysis. The “scoped” dataset was divided into batches of CVEs based on the CVE Numbering Authority (CNA) who published them, typically with one batch for CVE Records mapped to “high-level” CWEs, and a separate batch for CVE Records with differences based on the internal keyword matcher.
After the collection, scoping, and remapping process, a scoring formula was used to calculate a rank order of weaknesses that combines the frequency (the number of times that a CWE is the root cause of a vulnerability), with the average severity of each of those vulnerabilities when they are exploited (as measured by the Common Vulnerability Scoring System (CVSS) v3.0 or v3.1 base score). In both cases, the frequency and severity are normalized relative to the minimum and maximum values observed in the dataset.
These metrics are presented as ”count“ and ”average_CVSS“, respectively in the following formulas. Due to differences in the way CVSS base scores are calculated across versions, only CVE Records that contain CVSS version 3.0 or 3.1 data were considered in the calculations.
