Mitre introduced an updated list of the 25 most dangerous vulnerabilities in software, identified among 31,770 CVE identifiers between June 2023 and June 2024. These vulnerabilities can lead to critical malfunctions, allowing attackers to gain control over systems, steal data, and launch attacks such as denial of service.
The key weaknesses in software are often related to errors in the code, architecture, and design. Mitre emphasizes that these vulnerabilities are easily exploitable, posing a serious threat to systems. This year’s list was compiled based on an analysis of vulnerabilities from the CISA Known Exploited Vulnerabilities catalog.
CISA highlights the importance of addressing these vulnerabilities early in the software development stage to prevent exploitation. The list includes dangers such as cross-site scripting (cwe-79), out-of-bounds memory access (cwe-787), and SQL injections (cwe-89).
In a joint report, cybersecurity agencies from the Five Eyes Alliance issued a warning last month, stating that many frequently exploited vulnerabilities in 2023 were associated with attacks like Zero-day, where the vulnerability was known but not patched.
The report emphasizes the need to address issues related to standard passwords, improper authentication, and OS command execution. CISA strongly recommends implementing Secure by Design approaches to eliminate these vulnerabilities during the design phase.
Along with the vulnerability list, Mitre calls for a reassessment of investments and strategies in cybersecurity to reduce risks and enhance the resilience of IT systems against increasingly sophisticated threats.