Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 13 December 2025 16:23
MITRE has released its ranking of the 25 most dangerous software vulnerabilities predicted for 2025, based on data collected through the National Vulnerability Database. These vulnerabilities were identified by analyzing 39,080 Common Vulnerabilities and Exposures (CVE) records reported this year to identify the root causes.
The rise in cyber threats has heightened the importance of the annual ranking, which, based on real CVE data, allows for more effective identification and reduction of risks within organizations.
Attackers can take control of systems, steal sensitive data, or compromise applications due to these pervasive flaws, which are often easily discovered and exploited.
| Vulnerability | CWE | CVEs in KEV | Rank Last Year | Trend |
|---|---|---|---|---|
| Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | CWE-79 | 7 | 1 | — |
| Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | CWE-89 | 4 | 3 | Upward |
| Cross-Site Request Forgery (CSRF) | CWE-352 | 0 | 4 | Upward |
| Missing Authorization | CWE-862 | 0 | 9 | Upward |
| Out-of-bounds Write | CWE-787 | 12 | 2 | Downward |
| Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | CWE-22 | 10 | 5 | Downward |
| Use After Free | CWE-416 | 14 | 8 | Upward |
| Out-of-bounds Read | CWE-125 | 3 | 6 | Downward |
| Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | CWE-78 | 20 | 7 | Downward |
| Improper Control of Generation of Code (Code Injection) | CWE-94 | 7 | 11 | Upward |
| Buffer Copy without Checking Size of Input (Classic Buffer Overflow) | CWE-120 | 0 | N/A | — |
| Unrestricted Upload of File with Dangerous Type | CWE-434 | 4 | 10 | Downward |
| NULL Pointer Dereference | CWE-476 | 0 | 21 | Upward |
| Stack-based Buffer Overflow | CWE-121 | 4 | N/A | — |
| Deserialization of Untrusted Data | CWE-502 | 11 | 16 | Upward |
| Heap-based Buffer Overflow | CWE-122 | 6 | N/A | — |
| Incorrect Authorization | CWE-863 | 4 | 18 | Upward |
| Improper Input Validation | CWE-20 | 2 | 12 | Downward |
| Improper Access Control | CWE-284 | 1 | N/A | — |
| Exposure of Sensitive Information to an Unauthorized Actor | CWE-200 | 1 | 17 | Downward |
| Missing Authentication for Critical Function | CWE-306 | 11 | 25 | Upward |
| Server-Side Request Forgery (SSRF) | CWE-918 | 0 | 19 | Downward |
| Improper Neutralization of Special Elements used in a Command (Command Injection) | CWE-77 | 2 | 13 | Downward |
| Authorization Bypass Through User-Controlled Key | CWE-639 | 0 | 30 | Upward |
| Allocation of Resources Without Limits or Throttling | CWE-770 | 0 | 26 | Upward |
The CWE Top 25 rankings can help you:
Memory safety vulnerabilities, such as buffer overflows, are recurring, which is driving the adoption of more secure languages like Rust. At the same time, web applications face threats and authentication issues. Furthermore, vulnerabilities like Use After Free, which fall under the KEV category, require the implementation of a zero-trust control model.
It is critical that organizations screen their code against this list, incorporate CWE checks into their continuous integration pipelines, insist on transparency with vendors, and leverage contracts to hold vendors to rigorous standards for writing secure code.
Redazione