2024's Most Critical Software Vulnerabilities
The MITRE Corporation has once again released its annual list of the top 25 most dangerous software weaknesses. This year's list, developed in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), highlights the most severe and prevalent vulnerabilities that could be exploited by malicious actors.
Understanding the Threat Landscape
The 2024 CWE Top 25 list is a critical resource for developers, security professionals, and organisations worldwide. By identifying the most common and dangerous software weaknesses, this list enables organisations to prioritise their security efforts and allocate resources effectively.
Key Vulnerabilities to Watch Out For:
- Cross-site Scripting (XSS) (CWE-79): This persistent threat allows attackers to inject malicious scripts into web pages, stealing sensitive information or compromising user sessions.
- Out-of-Bounds Write (CWE-787): This vulnerability can lead to memory corruption, crashes, and potential remote code execution.
- SQL Injection (SQLi) (CWE-89): Attackers can exploit SQLi to manipulate database queries, steal data, or even take control of the database server.
- Cross-Site Request Forgery (CSRF) (CWE-352): This attack tricks users into performing unauthorised actions on behalf of their authenticated sessions.
- Path Traversal (CWE-22): Attackers can exploit this vulnerability to access files outside the intended directory, potentially leading to data exposure or system compromise.
TOP 25 MOST DANGEROUS SOFTWARE WEAKNESSES OF 2024
| RANK | WEAKNESS NAME | CWE ID | SCORE | CVES IN KEV | CHANGE |
| 1 | Cross-site Scripting | CWE-79 | 56.92 | 3 | +1 |
| 2 | Out-of-bounds Write | CWE-787 | 45.20 | 18 | -1 |
| 3 | SQL Injection | CWE-89 | 35.88 | 4 | 0 |
| 4 | Cross-Site Request Forgery (CSRF) | CWE-352 | 19.57 | 0 | +5 |
| 5 | Path Traversal | CWE-22 | 12.74 | 4 | +3 |
| 6 | Out-of-bounds Read | CWE-125 | 11.42 | 3 | +1 |
| 7 | OS Command Injection | CWE-78 | 11.30 | 5 | -2 |
| 8 | Use After Free | CWE-416 | 10.19 | 5 | -4 |
| 9 | Missing Authorisation | CWE-862 | 10.11 | 0 | +2 |
| 10 | Unrestricted Upload of File with Dangerous Type | CWE-434 | 10.03 | 0 | 0 |
| 11 | Code Injection | CWE-94 | 7.13 | 7 | +12 |
| 12 | Improper Input Validation | CWE-20 | 6.78 | 1 | -6 |
| 13 | Command Injection | CWE-77 | 6.74 | 4 | +3 |
| 14 | Improper Authentication | CWE-287 | 5.94 | 4 | -1 |
| 15 | Improper Privilege Management | CWE-269 | 5.22 | 0 | +7 |
| 16 | Deserialization of Untrusted Data | CWE-502 | 5.07 | 5 | -1 |
| 17 | Exposure of Sensitive Information to an Unauthorised Actor | CWE-200 | 5.07 | 0 | +13 |
| 18 | Incorrect Authorisation | CWE-863 | 4.05 | 2 | +6 |
| 19 | Server-Side Request Forgery (SSRF) | CWE-918 | 4.05 | 2 | 0 |
| 20 | Improper Restriction of Operations within the Bounds of a Memory Buffer | CWE-119 | 3.69 | 2 | -3 |
| 21 | NULL Pointer Dereference | CWE-476 | 3.58 | 0 | -9 |
| 22 | Use of Hard-coded Credentials | CWE-798 | 3.46 | 2 | -4 |
| 23 | Integer Overflow or Wraparound | CWE-190 | 3.37 | 3 | -9 |
| 24 | Uncontrolled Resource Consumption | CWE-400 | 3.23 | 0 | +13 |
| 25 | Missing Authentication for Critical Function | CWE-306 | 2.73 | 5 | -5 |
June Cyber News Monthly Wrap-up
June Cyber News Monthly Wrap-up As FY25 kicks off, Australian cybersecurity leaders are facing a rapidly evolving threat landscape. From regulatory enforcement to critical infrastructure vulnerabilities, June’s cyber headlines underscore […]
Read More
What CIOs Should Ask Their MSSP in FY25 Planning
WHAT CIOS SHOULD ASK THEIR MSSP IN FY25 PLANNING As Australian enterprises enter FY25, cyber security is no longer just a technical function it’s a board-level priority. With threat actors […]
Read More
Australian SME Achieves ISO 27001 Certification with MSSP Support
CASE STUDY SPOTLIGHT: FROM COMPLIANCE GAPS TO ISO CERTIFICATION The Challenge: Compliance Gaps Threaten Business Continuity When a Sydney based financial and legal consulting firm approached their annual cyber insurance […]
Read More
How Shadow IT and SaaS Sprawl Expose Your Business to Cyber Risk
SHADOW IT & SAAS SPRAWL: HIDDEN RISKS IN YOUR CLOUD ENVIRONMENT You can’t protect what you can’t see. In today’s fast-moving digital workplace, employees regularly adopt tools like file-sharing platforms, […]
Read More