{"id":3868,"date":"2025-12-16T05:39:30","date_gmt":"2025-12-16T05:39:30","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/12\/16\/top-25-most-dangerous-software-weaknesses-of-2025-revealed\/"},"modified":"2025-12-16T05:39:30","modified_gmt":"2025-12-16T05:39:30","slug":"top-25-most-dangerous-software-weaknesses-of-2025-revealed","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/12\/16\/top-25-most-dangerous-software-weaknesses-of-2025-revealed\/","title":{"rendered":"Top 25 Most Dangerous Software Weaknesses of 2025 Revealed"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>The MITRE Corporation has released the 25 most dangerous software \u201cweaknesses\u201d in a new list that will help inform developers, network defenders and procurement teams.<\/p>\n<p>The annual CWE Top 25 list was this year compiled from the weaknesses (CWEs) behind 39,080 CVEs.<\/p>\n<p>\u201cUncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place \u2013 benefiting both industry and government stakeholders,\u201d MITRE claimed.<\/p>\n<p>Top of the list once again was cross-site scripting (XSS), while SQL injection moved up one place to second and cross-site request forgery moved up one to third. Use-after-free (in eighth place) and code injection (tenth) both moved up one from last year.<\/p>\n<p>Among the top 10, out-of-bounds write (fifth), path traversal (sixth), out-of-bounds read (eighth) and OS command injection (ninth) all dropped down from their rankings last year.<\/p>\n<p><em>Read more on CWEs: MITRE Unveils Top 25 Most Critical Software Flaws<\/em><\/p>\n<p>The rankings are calculated by scoring each weakness based on its severity and the frequency of in-the-wild exploits.<\/p>\n<p>This year, there were new entries for\u00a0classic buffer overflow, stack-based buffer overflow, heap-based buffer overflow, improper access control, authorization bypass through user-controlled key, and allocation of resources without limits or throttling.<\/p>\n<p>However, AppOmni CSO, Cory Michal, argued that there should have been a place on the Top 25 for \u201cinsufficiently protected credentials,\u201d given how dangerous weak credential handling is.<\/p>\n<p>\u201cWhen major SaaS integration providers like Commvault, Salesloft\/Drift and Gainsight are breached and attackers walk away with OAuth2 tokens, those \u2018credentials\u2019 become a skeleton key into thousands of downstream SaaS tenants,\u201d he explained.<\/p>\n<p>\u201cWe\u2019re seeing adversaries use those stolen tokens to access CRM and collaboration data without ever touching a user\u2019s password, and I\u2019d expect that pattern, and therefore CWE-522\u2019s real-world impact to keep growing in 2026.\u201d<\/p>\n<p>That said,\u00a0the new list highlights how identity, authorization and access control issues are now very much front and center for security teams.<\/p>\n<p>\u201cWhen weaknesses like missing authentication, improper access control\u00a0and authorization bypass, all climb or enter the Top 25, it\u2019s a signal that attackers are consistently succeeding at finding and exploiting gaps in authentication and authorization logic,\u201d Michal said.<\/p>\n<p>\u201cIn today\u2019s SaaS and AI world, where apps are interconnected by APIs and integrations, these weaknesses quickly turn into lateral movement, data exposure\u00a0and realized risk.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>The MITRE Corporation has released the 25 most dangerous software \u201cweaknesses\u201d in a new list that will help inform developers, network defenders and procurement teams. The annual CWE Top 25 list was this year compiled from the weaknesses (CWEs) behind 39,080 CVEs. \u201cUncovering the root causes of these vulnerabilities serves as a powerful guide for<\/p>\n","protected":false},"author":2,"featured_media":3869,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3868-302799d9-eb69-4db0-8724-873641036b19-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3868"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3868\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3869"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3868"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}