MITRE shares this year's list of most dangerous software bugs

MITRE shared this year's list of the top 25 most common and dangerous weaknesses impacting software throughout the previous two calendar years.

Software weaknesses are flaws, bugs, vulnerabilities, or various other errors found in software solutions' code, architecture, implementation, or design.

They can potentially expose the systems they're running on to attacks that could enable threat actors to take control of affected devices, gain access to sensitive information, or trigger a denial-of-service condition.

To create this list, MITRE scored each weakness based on its prevalence and severity after analyzing data for 37,899 CVEs from NIST's National Vulnerability Database (NVD) and CISA's Known Exploited Vulnerabilities (KEV) Catalog.

"Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk," MITRE said.

"This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).

MITRE's top 25 bugs are considered dangerous because they're usually easy to discover, come with a high impact, and are prevalent in software released during the last two years.

The table below provides insight into the most critical and current security weaknesses affecting software worldwide.

Top exploited vulnerabilities of 2021

In April, in partnership with the FBI and the NSA, cybersecurity authorities worldwide have also published a list of the top 15 vulnerabilities frequently exploited by threat actors during 2021.

As revealed in the joint advisory, malicious actors focused their attacks last year on newly disclosed vulnerabilities affecting internet-facing systems, including email and virtual private network (VPN) servers.

This was likely because malicious actors and security researchers published proof of concept (POC) exploits within two weeks after most of the top exploited bugs were disclosed in 2021.

However, they also focused some attacks on older flaws patched years before, showing that some organizations fail to update their systems even after a patch is available.

CISA and the FBI have also published a list of the top 10 most exploited security flaws between 2016 and 2019. A top of routinely exploited bugs in 2020 was also released in collaboration with the Australian Cyber Security Centre (ACSC) and the UK's National Cyber Security Centre (NCSC).

In November, MITRE has also shared a list of the topmost dangerous programming, design, and architecture security flaws plaguing hardware throughout the last year.