CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

MITRE and CISA release 2025's top 25 most dangerous software weaknesses

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

MITRE, in collaboration with HSSEDI and CISA, has published the 2025 list of the top 25 most dangerous software weaknesses. The list is based on an analysis of 39,080 CVE records reported between June 2024 and June 2025. Cross-Site Scripting (CWE-79) remains the most critical weakness, while several new entries, including Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow, Heap-based Buffer Overflow, and Improper Access Control (CWE-284), have been added to the list. SQL injection and Cross-site request forgery have moved up in the rankings, while several other weaknesses have dropped. The list highlights weaknesses that are frequently exploited by threat actors to compromise systems, steal data, or disrupt services. CISA and MITRE encourage organizations to review the list and integrate it into their software security strategies.

Timeline

  1. 12.12.2025 10:43 2 articles · 4d ago

    MITRE and CISA release 2025's top 25 most dangerous software weaknesses

    MITRE, in collaboration with HSSEDI and CISA, has published the 2025 list of the top 25 most dangerous software weaknesses. The list is based on an analysis of 39,080 CVE records reported between June 2024 and June 2025. Cross-Site Scripting (CWE-79) remains the most critical weakness, while several new entries, including Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow, Heap-based Buffer Overflow, and Improper Access Control (CWE-284), have been added to the list. SQL injection and Cross-site request forgery have moved up in the rankings, while several other weaknesses have dropped. The list highlights weaknesses that are frequently exploited by threat actors to compromise systems, steal data, or disrupt services. CISA and MITRE encourage organizations to review the list and integrate it into their software security strategies.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft to Strengthen Entra ID Sign-Ins Against Script Injection Attacks

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties.

Open in new tab

Critical Vulnerabilities in Fluent Bit Logging Agent

Critical vulnerabilities in Fluent Bit, a widely used telemetry agent, have been disclosed. These flaws affect log, metric, and trace handling across banking, cloud, and SaaS platforms. The issues include improper input validation, path traversal bugs, and authentication bypasses, allowing attackers to manipulate logs, overwrite files, and execute code. Patches are available in versions v4.1.1 and v4.0.12, but older versions remain at risk. The vulnerabilities could distort observability pipelines, impacting financial services, security products, and SaaS environments. Immediate patching and configuration hardening are recommended. AWS has urged customers to update to the latest version of Fluent Bit for optimal protection. The flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure.

Open in new tab

OAuth and API Token Theft Driving SaaS Breaches

Token theft is a leading cause of software-as-a-service (SaaS) breaches. OAuth and API tokens are often overlooked, allowing attackers to bypass multi-factor authentication (MFA) and other security measures. SaaS sprawl and the difficulty of monitoring third-party integrations exacerbate the issue. Recent breaches at Slack, CircleCI, Cloudflare, and Salesloft/Drift highlight the risks associated with token theft. These incidents underscore the need for better token hygiene and visibility into SaaS integrations. Security teams must address the blind spots created by SaaS sprawl and hidden token trust relationships to prevent future attacks.

Open in new tab

Multiple vulnerabilities in Citrix and Git added to CISA KEV catalog

CISA has added multiple vulnerabilities to its KEV catalog due to active exploitation. The flaws affect Citrix Session Recording, Git, and Citrix NetScaler ADC and NetScaler Gateway. The Citrix Session Recording vulnerabilities were patched in November 2024, the Git flaw was addressed in July 2025, and the NetScaler vulnerabilities were patched in August 2025. Federal agencies must apply mitigations by September 15, 2025, for the earlier vulnerabilities and within 48 hours for the NetScaler vulnerabilities. The vulnerabilities are CVE-2024-8068, CVE-2024-8069, CVE-2025-48384, CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. The first two affect Citrix Session Recording, the third affects Git, and the last three affect Citrix NetScaler ADC and NetScaler Gateway. CVE-2025-48384 is an arbitrary file write vulnerability in Git due to inconsistent handling of carriage return characters in configuration files. The vulnerability affects macOS and Linux systems, with Windows systems being immune due to differences in control character usage. The flaw was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. The vulnerability impacts software developers using Git on workstations and CI/CD build systems. CVE-2025-7775 is a memory overflow vulnerability leading to remote code execution and/or denial-of-service. CVE-2025-7776 is a memory overflow vulnerability leading to unpredictable behavior and denial-of-service. CVE-2025-8424 is an improper access control vulnerability in the NetScaler Management Interface. CVE-2025-7775 has been actively exploited in the wild and was added to the CISA KEV catalog on August 26, 2025, requiring federal agencies to remediate within 48 hours. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.

Open in new tab

NIST Updates Digital Identity Guidelines to Address Evolving Threats

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines to enhance the security of the identity ecosystem. The revision, the first since 2017, addresses modern threats such as AI-enhanced phishing and deepfakes. It introduces new authentication measures, including passwordless technologies, and emphasizes continuous evaluation and risk-based identity proofing. The guidelines aim to help organizations contend with the current threat landscape by providing updated authentication risk and threat models, as well as technical requirements for identity proofing, enrollment, management, authentication, and federation. The update also includes recommendations for documenting and communicating the use of AI and machine learning systems. The changes reflect the evolving nature of cyber threats and the need for more robust identity and access management (IAM) protocols. Organizations are expected to adopt phishing-resistant authenticators and strengthen cross-functional risk management.

Open in new tab