好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,并且不要用“文章内容总结”之类的开头。首先,我得仔细阅读这篇文章,理解它的主要信息。 文章主要讲的是MITRE发布了2025年的Top 25软件弱点列表,这些弱点导致了超过39,000个安全漏洞。合作机构包括HSSEDI和CISA,他们管理CWE项目。软件弱点包括代码、架构中的缺陷,攻击者可以利用这些来入侵系统。评分基于严重性和频率,分析了39,080个CVE记录。 排名变化方面,CWE-79(跨站脚本)保持第一,新增了Classic Buffer Overflow等。CISA建议组织参考这份列表来制定安全策略,并提到政府延长了对MITRE的资助。 接下来,我需要将这些信息浓缩到100字以内。重点包括:MITRE发布Top 25列表,基于39,080个CVE记录,分析软件弱点及其影响,新增和排名变化的弱点类型,以及CISA的建议和政府资助延长。 最后,确保语言简洁明了,直接描述内容,不使用开头语。 </think> MITRE发布了2025年Top 25软件弱点列表,基于39,080个CVE记录分析软件缺陷及其影响。新增Classic Buffer Overflow等高风险漏洞,部分弱点排名显著上升。CISA建议组织参考该列表制定安全策略,并延长对MITRE的资助以支持CVE项目。 2025-12-12 08:45:22 Author: www.bleepingcomputer.com(查看原文) 阅读量:8 收藏
MITRE has shared this year's top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software's code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.
To create this year's ranking, MITRE scored each weakness based on its severity and frequency after analyzing 39,080 CVE Records for vulnerabilities reported between June 1, 2024, and June 1, 2025.
While Cross-Site Scripting (CWE-79) still retains its spot at the top of the Top 25, there were many changes in rankings from last year's list, including Missing Authorization (CWE-862), Null Pointer Dereference (CWE-476), and Missing Authentication (CWE-306), which were the biggest movers up the list.
The new entries in this year's top-most severe and prevalent weaknesses are Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122), Improper Access Control (CWE-284), Authorization Bypass Through User-Controlled Key (CWE-639), and Allocation of Resources Without Limits or Throttling (CWE-770).
| Rank | ID | Name | Score | KEV CVEs | Change |
|---|---|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 60.38 | 7 | 0 |
| 2 | CWE-89 | SQL Injection | 28.72 | 4 | +1 |
| 3 | CWE-352 | Cross-Site Request Forgery (CSRF) | 13.64 | 0 | +1 |
| 4 | CWE-862 | Missing Authorization | 13.28 | 0 | +5 |
| 5 | CWE-787 | Out-of-bounds Write | 12.68 | 12 | -3 |
| 6 | CWE-22 | Path Traversal | 8.99 | 10 | -1 |
| 7 | CWE-416 | Use After Free | 8.47 | 14 | +1 |
| 8 | CWE-125 | Out-of-bounds Read | 7.88 | 3 | -2 |
| 9 | CWE-78 | OS Command Injection | 7.85 | 20 | -2 |
| 10 | CWE-94 | Code Injection | 7.57 | 7 | +1 |
| 11 | CWE-120 | Classic Buffer Overflow | 6.96 | 0 | N/A |
| 12 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 6.87 | 4 | -2 |
| 13 | CWE-476 | NULL Pointer Dereference | 6.41 | 0 | +8 |
| 14 | CWE-121 | Stack-based Buffer Overflow | 5.75 | 4 | N/A |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.23 | 11 | +1 |
| 16 | CWE-122 | Heap-based Buffer Overflow | 5.21 | 6 | N/A |
| 17 | CWE-863 | Incorrect Authorization | 4.14 | 4 | +1 |
| 18 | CWE-20 | Improper Input Validation | 4.09 | 2 | -6 |
| 19 | CWE-284 | Improper Access Control | 4.07 | 1 | N/A |
| 20 | CWE-200 | Exposure of Sensitive Information | 4.01 | 1 | -3 |
| 21 | CWE-306 | Missing Authentication for Critical Function | 3.47 | 11 | +4 |
| 22 | CWE-918 | Server-Side Request Forgery (SSRF) | 3.36 | 0 | -3 |
| 23 | CWE-77 | Command Injection | 3.15 | 2 | -10 |
| 24 | CWE-639 | Authorization Bypass via User-Controlled Key | 2.62 | 0 | +6 |
| 25 | CWE-770 | Allocation of Resources w/o Limits or Throttling | 2.54 | 0 | +1 |
"Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working," MITRE said.
"This annual list identifies the most critical weaknesses adversaries exploit to compromise systems, steal data, or disrupt services. CISA and MITRE encourage organizations to review this list and use it to inform their respective software security strategies," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added.
In recent years, CISA has issued multiple "Secure by Design" alerts spotlighting the prevalence of widely documented vulnerabilities that remain in software despite available mitigations.
Some of these alerts have been released in response to ongoing malicious campaigns, such as a July 2024 alert asking tech companies to eliminate path OS command injection weaknesses exploited by the Chinese Velvet Ant state hackers in attacks targeting Cisco, Palo Alto, and Ivanti network edge devices.
This week, the cybersecurity agency advised developers and product teams to review the 2025 CWE Top 25 to identify key weaknesses and adopt Secure by Design practices, while security teams were asked to integrate it into their app security testing and vulnerability management processes.
In April 2025, CISA also announced that the U.S. government had extended MITRE's funding for another 11 months to ensure continuity of the critical Common Vulnerabilities and Exposures (CVE) program, following a warning from MITRE VP Yosry Barsoum that government funding for the CVE and CWE programs was set to expire.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
如有侵权请联系:admin#unsafe.sh