Cybersecurity / By
FINAL Newsletter Web Banner (2)

2024's Most Critical Software Vulnerabilities

The MITRE Corporation has once again released its annual list of the top 25 most dangerous software weaknesses. This year's list, developed in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), highlights the most severe and prevalent vulnerabilities that could be exploited by malicious actors.

Understanding the Threat Landscape

The 2024 CWE Top 25 list is a critical resource for developers, security professionals, and organisations worldwide. By identifying the most common and dangerous software weaknesses, this list enables organisations to prioritise their security efforts and allocate resources effectively.

Key Vulnerabilities to Watch Out For:

  1. Cross-site Scripting (XSS) (CWE-79): This persistent threat allows attackers to inject malicious scripts into web pages, stealing sensitive information or compromising user sessions.
  2. Out-of-Bounds Write (CWE-787): This vulnerability can lead to memory corruption, crashes, and potential remote code execution.
  3. SQL Injection (SQLi) (CWE-89): Attackers can exploit SQLi to manipulate database queries, steal data, or even take control of the database server.
  4. Cross-Site Request Forgery (CSRF) (CWE-352): This attack tricks users into performing unauthorised actions on behalf of their authenticated sessions.
  5. Path Traversal (CWE-22): Attackers can exploit this vulnerability to access files outside the intended directory, potentially leading to data exposure or system compromise.

TOP 25 MOST DANGEROUS SOFTWARE WEAKNESSES OF 2024

RANK WEAKNESS NAME CWE ID SCORE CVES IN KEV CHANGE
1 Cross-site Scripting CWE-79 56.92 3 +1
2 Out-of-bounds Write CWE-787 45.20 18 -1
3 SQL Injection CWE-89 35.88 4 0
4 Cross-Site Request Forgery (CSRF) CWE-352 19.57 0 +5
5 Path Traversal CWE-22 12.74 4 +3
6 Out-of-bounds Read CWE-125 11.42 3 +1
7 OS Command Injection CWE-78 11.30 5 -2
8 Use After Free CWE-416 10.19 5 -4
9 Missing Authorisation CWE-862 10.11 0 +2
10 Unrestricted Upload of File with Dangerous Type CWE-434 10.03 0 0
11 Code Injection CWE-94 7.13 7 +12
12 Improper Input Validation CWE-20 6.78 1 -6
13 Command Injection CWE-77 6.74 4 +3
14 Improper Authentication CWE-287 5.94 4 -1
15 Improper Privilege Management CWE-269 5.22 0 +7
16 Deserialization of Untrusted Data CWE-502 5.07 5 -1
17 Exposure of Sensitive Information to an Unauthorised Actor CWE-200 5.07 0 +13
18 Incorrect Authorisation CWE-863 4.05 2 +6
19 Server-Side Request Forgery (SSRF) CWE-918 4.05 2 0
20 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119 3.69 2 -3
21 NULL Pointer Dereference CWE-476 3.58 0 -9
22 Use of Hard-coded Credentials CWE-798 3.46 2 -4
23 Integer Overflow or Wraparound CWE-190 3.37 3 -9
24 Uncontrolled Resource Consumption CWE-400 3.23 0 +13
25 Missing Authentication for Critical Function CWE-306 2.73 5 -5
Contact Us

November 2024 Cybersecurity Roundup: Protecting Your Australian SME

CYBERSECURITY NEWS ROUNDUP: NOVEMBER 2024 This month’s news highlights the ongoing challenges and emerging threats facing Australian SMEs. Let’s dive into the key points: Top Headlines: • Cyber Security Bill […]

Read More

A Year in Review: Gratitude, Growth, and Exciting Plans for 2025

A Year in Review and Exciting Plans for 2025 As 2024 draws to a close, we want to take a moment to express our sincere gratitude for your continued support. […]

Read More

Cyber Security Tips for a Safe Holiday Shutdown

Cyber Security Tips for a Safe and Secure Christmas Shutdown As the festive season approaches, it’s important to ensure your business is adequately protected from cyber threats, even during the […]

Read More

Cybersecurity 2025: A Look Ahead

2025 Cybersecurity Predictions: Navigating the Evolving Threat Landscape As we step into 2025, the cybersecurity landscape continues to evolve, presenting new challenges for organisations worldwide. With the increasing sophistication of […]

Read More

Related Posts