The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by the MITRE Corporation, has released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses.
This annual list identifies the most critical weaknesses adversaries exploit to compromise systems, steal data, or disrupt services.
Prioritizing the weaknesses outlined in the Top 25 is integral to CISA’s Secure by Design and Secure by Demand initiatives, which promote building and procuring secure technology solutions. CISA and MITRE encourage organizations to review this list and use it to inform their respective software security strategies.
The 2025 CWE Top 25:
- Supports Vulnerability Reduction: By focusing on the Top 25, organizations can prioritize lifecycle changes, adopt safer architectural decisions, and reduce high-impact vulnerabilities related to injection, access control, and memory safety defects.
- Drives Cost Efficiencies: Eliminating weaknesses early reduces downstream remediation; addressing them before deployment is more efficient and cost effective than patching, reconfiguring, or responding to emergency incidents.
- Strengthens Customer and Stakeholder Trust: Transparent efforts to identify, mitigate, and monitor weaknesses demonstrate commitment to Secure by Design principles. Organizations that prioritize eliminating recurring weaknesses contribute to a safer software ecosystem.
- Promotes Consumer Awareness: The Top 25 empowers consumers to understand underlying causes of common vulnerabilities, supports more informed purchasing decisions, and encourages adoption of products that follow robust security engineering practices.
By shining a light on the most dangerous software weaknesses, CISA and MITRE reinforce collective efforts to reduce vulnerabilities at the source, strengthen national cybersecurity, and improve long-term resilience. For details, refer to the 2025 CWE Top 25.
