Top Software Weaknesses of 2024: Insights from CISA and MITRE's Latest Report

The following list spotlights some of the most critical software weaknesses identified by CISA and MITRE for 2024. These vulnerabilities are ranked not only based on their prevalence but also their potential impact.

Understanding the Rankings: Each entry is identified by its CWE number, followed by the associated number of Known Exploited Vulnerabilities (CVEs in KEV). This provides a clear indication of how frequently these weaknesses have been exploited in the past.

Why These Weaknesses Matter: Top weaknesses like CWE-79, Cross-site Scripting, signal areas where vigilance is not just crucial, but imperative. With its rise to the top spot, it's clear that Cross-site Scripting continues to be a persistent and dangerous vulnerability.

Similarly, Out-of-bounds Write and SQL Injection (CWE-787 and CWE-89, respectively), show why input validation should never be overlooked. These vulnerabilities continue to present significant risk.

Emerging Threats: Notably, there's been a significant rise in Improper Control of Generation of Code ('Code Injection') (CWE-94) jumping 12 positions to #11. These vulnerabilities can sometimes indicate emerging patterns in attack vectors targeting new or under-protected areas.

By familiarizing yourself with these top vulnerability categories, you can proactively strengthen your software defenses and reduce the risk of exploitation. Always stay updated on the latest security guidelines and best practices to protect your systems effectively.

Discover the 25 most critical software weaknesses of 2024 and stay ahead of emerging security threats.

#1 Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting')

CWE-79

CVEs in KEV: 3

Previous Rank: 2 ( Moved to the top)

Highlight #1 Cross-site scripting (XSS)

XSS Vulnerabilities arise when web applications don’t adequately sanitize user inputs before including them in a web page. This deficiency enables attackers to inject harmful scripts into a user’s browser, which can result in stolen credentials, hijacked sessions, or the delivery of malicious payloads.

In 2024, XSS vulnerabilities took center stage, propelling CWE-79 to the top of the CWE list, up from second place in 2023. This ascent underscores the ongoing menace XSS poses to today’s web applications.

A variety of vulnerabilities linked to CWE-79 were exploited in 2024, such as:

• CVE-2014-2120: Despite being an older flaw in the Cisco Adaptive Security Appliance (ASA), it still allows script injections via the WebVPN login page. Notably, Cisco revisited their advisory in December 2024, flagging active exploits associated with the Androxgh0st botnet, as identified by researchers.
• CVE-2024-37383: This vulnerability in Roundcube Webmail concerning SVG animate attributes let attackers run JavaScript, targeting government agencies in the Commonwealth of Independent States (CIS) with malicious email attachments.

#2 Out-of-bounds Write

CWE-787

Known Exploited Vulnerabilities: 18

Previous Rank: 1 (slightly decreased)

Highlight #2: Out-of-Bounds Write

Out-of-bounds write vulnerabilities emerge when a program writes data beyond the limits of allocated memory space. This critical flaw can trigger unexpected consequences like crashes, data corruption, or even the execution of malicious code. Although it has dropped to the second position on the 2024 CWE list, CWE-787 continues to present a significant threat.

Key instances of CWE-787 exploitation in 2024 include:

• CVE-2024-21762: A vulnerability present in Fortinet FortiOS that permits remote, unauthenticated attackers to execute arbitrary code via carefully constructed HTTP requests. This weakness was exploited by the Chinese APT group Volt Typhoon to deploy custom malware.
• CVE-2023-34048: A flaw in the VMware vCenter Server's DCERPC protocol. Exploited in January 2024, attackers leveraged this vulnerability to compromise credentials and install backdoors like VirtualPita and VirtualPie on ESXi hosts, enabling privilege escalation and data theft.
• CVE-2024-23225 and CVE-2024-23296: allow attackers to bypass kernel memory defense in Apple products, such as iOS, macOS, and watchOS.
• CVE-2024-0519, CVE-2023-7024, and CVE-2024-4761: exploited in popular web browsers, putting millions of users at risk from threats like heap corruption and remote code execution including vulnerabilities associated with Google Chromium.

The danger of out-of-bounds write flaws stems from their potential to allow remote code execution and cause memory corruption.

#3 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

CVEs in KEV: 4

Previous Rank: 3 ( Staying Steady)

Highlight #3: SQL Injection

SQL injection vulnerabilities occur when attackers manipulate input fields to execute unauthorized SQL queries. By taking advantage of applications that don't adequately sanitize user inputs, they can access databases, retrieve sensitive information, or perform administrative operations. These vulnerabilities remain critical, with CWE-89 maintaining its third-place position on the 2024 CWE Top 25 list.

Let's look at some actively exploited SQL Injection vulnerabilities in 2024:

• CVE-2023-48788: Discovered in Fortinet FortiClient EMS, this vulnerability allowed attackers without authentication to run system-level commands through specially crafted requests. During the Connect:fun campaign, media companies were targeted, and attackers used this flaw to penetrate networks.
• CVE-2024-6670: In Progress WhatsUp Gold, attackers exploited this vulnerability to retrieve encrypted user passwords. They managed to achieve Remote Code Execution (RCE) by manipulating the Active Monitor PowerShell Script.
• CVE-2024-9379 and CVE-2024-29824: These vulnerabilities were present in Ivanti products. Exploited by a nation-state actor in chain attacks, they facilitated lateral movement within networks.
• CVE-2024-9465: In Palo Alto Networks Expedition, this flaw allowed attackers to access sensitive database contents, such as password hashes, usernames, and device configurations.

Reflecting on last year's wide-scale exploitation of the MOVEit Transfer vulnerability (CVE-2023-34362) by the Cl0p ransomware group emphasizes the extensive damage SQL Injection flaws can inflict. This impacted 2,770 organizations per progress software's SEC new FORM 8K Filing.

#4 Cross-Site Request Forgery (CSRF)

CWE-352

CVEs in KEV: 0

Previous Rank: 9 ( Moving up in Impact)

Highlight #4: Cross-Site Request Forgery

This type of attack takes advantage of the trust between a user and a web application, allowing unauthorized actions like altering account settings or making monetary transfers. Notably, in 2024, CWE-352 climbed five positions to take the fourth spot on the CWE Top 25 list, highlighting the increasing concern surrounding this significant web threat.

Although it ranks high, only a single vulnerability under CWE-352 has been included in the 2024 CISA KEV Catalog, having been addressed back in 2014:

• CVE-2014-100005: This outdated flaw in D-Link DIR-600 routers lets attackers take over administrator sessions and modify router settings. Despite its age, it still impacts devices that have reached their end-of-life phase and should be decommissioned or replaced following vendor recommendations.

Even though numerous CSRF vulnerabilities surfaced in 2024, including crucial ones affecting Cisco Express Gateways, Cisco IOS/IOS XE, Jenkins, and a widely-used WordPress plugin, they haven't yet been added to the KEV Catalog

#5 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVEs in KEV: 4

PreviousRank: 8 (Up 3 in Importance)

Highlight #5: Path Traversal

Improper validation of user input in applications can open the door to path traversal vulnerabilities. This occurs when attackers alter file paths to access files and directories outside the permitted scope. When exploited, this flaw can lead to unauthorized access to sensitive data, data exposure, or even execution of malicious code. In 2024, CWE-22 climbed three positions, securing the fifth place in the CWE Top 25 list, emphasizing the persistent threat of poorly managed file paths.

Throughout 2024, several path traversal vulnerabilities labeled under CWE-22 were exploited, such as:

• CVE-2024-11667: A vulnerability in Zyxel firewalls allows the download or upload of files through manipulated URLs. Attackers leveraged this flaw in Helldown ransomware campaigns.
• CVE-2021-26086: Detected in Atlassian Jira Server and Data Center, this vulnerability lets attackers read restricted files, including those at the /WEB-INF/web.xml endpoint.
• CVE-2024-8963: Affecting Ivanti Cloud Services Appliance (CSA), this issue can be exploited to bypass admin authentication and execute arbitrary commands, especially when paired with other vulnerabilities like CVE-2024-8190.
• CVE-2024-32113: Found in Apache OFBiz, it exposes systems to remote code execution through poor file path validation.
• CVE-2024-28995: In SolarWinds Serv-U, this vulnerability enables attackers to access sensitive files on the host system through path traversal.

Path Traversal vulnerabilities impact a range of systems, from enterprise software to essential infrastructure devices like firewalls. The increased ranking of CWE-22 underscores the necessity for robust file path validation and diligent patching strategies.

#6 Out-of-bounds Read

CWE-125

CVEs in KEV: 3

Previous Rank: 7 (One Up)

#7 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

CVEs in KEV: 5

Previous Rank Last Year: 5 (down two slots)

#8 Use After Free

CWE-416

CVEs in KEV: 5

Previous Rank: 4 ( Down 4 positions)

#9 Missing Authorization

CWE-862

CVEs in KEV: 0Rank Last Year: 11 ( Cracking the Top 10)

#10 Unrestricted Upload of File with Dangerous Type

CWE-434

CVEs in KEV: 0

Previous Rank: 10 ( No change )

#11 Improper Control of Generation of Code ('Code Injection')

CWE-94

CVEs in KEV: 7

Previous Rank : 23 (Up a Dozen)

#12 Improper Input Validation

CWE-20

CVEs in KEV: 1

PreviousRank : 6 (down half dozen)

#13 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

CVEs in KEV: 4

Previous Rank: 16 (Gaining Three)

#14 Improper Authentication

CWE-287

CVEs in KEV: 4

Previous Rank : 13 (Lowered by one)

#15 Improper Privilege Management

CWE-269

CVEs in KEV: 0Rank Last Year: 22 (up 7) upward trend

#16 Deserialization of Untrusted Data

CWE-502

CVEs in KEV: 5

Previous Rank: 15 (down 1)

#17 Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

CVEs in KEV: 0

Previous Rank: 30 ( rising by 13)  

#18 Incorrect Authorization

CWE-863

CVEs in KEV: 2

Previous Rank Last Year: 24 (Positioning six spots higher)

#19 Server-Side Request Forgery (SSRF)

CWE-918

CVEs in KEV: 2

Previous Rank: (No Movement)

#20 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119

CVEs in KEV: 2

Rank Last Year: 17 (Down three slots)

#21 NULL Pointer Dereference

CWE-476

CVEs in KEV: 0

Previous Rankr: 12 ( sliding downward)

#22 Use of Hard-coded Credentials

CWE-798

CVEs in KEV: 2

Previous Rank: 18  (Falling by four places,)

#23 Integer Overflow or Wraparound

CWE-190

CVEs in KEV: 3

Previous Rank: 14 (Less Utilized in 24)

#24 Uncontrolled Resource Consumption

CWE-400

CVEs in KEV: 0R

Previous Rank: 37 (Bakers Dozen Increase)

#25 Missing Authentication for Critical Function

CWE-306

CVEs in KEV: 5

Previous Rank: (Moving up Five)

CISA KEV Catalog Representation of the 2024 CWE Top 5

As we delve deeper into the top five software weaknesses examined earlier, it's valuable to see how many vulnerabilities from 2024 are part of the CISA Known Exploited Vulnerabilities (KEV) Catalog.

Here's the breakdown for the top five CWEs:

• Out-of-bounds Write (CWE-787) takes the lead in the KEV Catalog with 18 vulnerabilities, highlighting its extensive exploitation.
• Following closely, SQL Injection (CWE-89) and Path Traversal (CWE-22) each have 4 vulnerabilities, underlining their significance in attack strategies.
• Cross-site Scripting (CWE-79) includes 3 vulnerabilities, emphasizing the persistent importance of XSS attacks.
• Interestingly, Cross-Site Request Forgery (CSRF) does not have any 2024 vulnerabilities listed in the KEV Catalog, despite its high ranking. This disparity indicates a gap between its perceived threat level and documented exploitation.

Attack Surface Recommendations

Evolve Security's Continuous Penetration Testing Platform delivers actionable intelligence by keeping a vigilant eye on your attack surfaces and applications. It aids your organization in pinpointing and addressing emerging threats before they can be exploited. By offering prompt alerts and insights, along with comprehensive manual testing, it helps effectively mitigate risks and safeguard your digital environments. Incorporating an expert-driven approach to vulnerability management, this platform is:

• Proactive: Detects vulnerabilities early to help prevent exploitation before they occur.
• Comprehensive: Combines automated scanning with real-world threat intelligence and manual testing for thorough assessments.
• Scalable: Adapts to the growing needs of your organization, ensuring sustained protection as your digital assets expand.

By integrating tools like Evolve Security's Darwin Attack and eASM platform, organizations align their security efforts with the principles outlined in the CISA and MITRE's Top Software Weaknesses of 2024: prioritizing risk, enhancing threat response, and ultimately, building more cyber resilience.

Conclusion

The 2024 CWE Top 25 Most Dangerous Software Weaknesses list highlights the critical need for awareness and action against software vulnerabilities posing significant security challenges. With Cross-Site Scripting (CWE-79) and Out-of-Bounds Write (CWE-787) topping the list, it mirrors the shifting threat landscape and the rising exploitation of both contemporary and persistent weaknesses.

By incorporating examples from the CISA Known Exploited Vulnerabilities (KEV) Catalog, this article emphasizes how adversaries continue to exploit these vulnerabilities, leading to widespread disruptions and data leaks. For organizations, this should serve as a wake-up call to prioritize Continuous Threat Exposure Management solutions to stay proactive against potential threats.

To dive deeper, explore the comprehensive CWE Top 25 lists and methodologies on MITRE’s CWE website.