The Top Software Weaknesses of 2024, and What to Do About Them

The same old CWEs keep on cropping up, year after year, finds Kate O’Flaherty

Weaknesses in software are a matter of fact, despite the industry’s best efforts. But at least ethical hackers are getting better at finding vulnerabilities, leading to swift patching by vendors to help keep companies safer.

Yet despite these endeavours, the same classes of vulnerability keep recurring. This is where MITRE’s latest Top 25 Most Dangerous Software Weaknesses list comes into its own – shining a light on the most critical flaws listed in the Common Weakness Enumeration (CWE) catalogue between June 2023 and June 2024.

In highlighting the code, design or architectural issues that can result in exploitable flaws, the document “serves as a powerful guide for investments, policies and practices to prevent these vulnerabilities from occurring in the first place”, MITRE claims. So what were the top CWEs in 2024 and how can organisations improve their resilience?

This year’s list highlights firms’ increasing reliance on web-based technologies, with cross-site scripting (XSS) now topping the list, says Sean Wright, head of application security at Featurespace. However, many of the software weaknesses listed, including XSS, have been around for years, which he tells Assured Intelligence is “frustrating, because they are well-understood”.

Out-of-bounds write issues were second on the CWE list, but the remedy is relatively simple. These types of flaws can be mitigated by strict bounds checking, use of memory-safe programming languages and adherence to secure coding practices, according to Saeed Abbasi, manager, vulnerability Research at Qualys Threat Research Unit. Formal verification tools and advanced runtime protections can also help detect and halt unsafe memory operations effectively, he tells Assured Intelligence.

SQL injection is the “most concerning” CWE

 SQL injection occurs when malicious code is embedded directly into SQL queries and allows attackers to manipulate databases, extract sensitive data or destroy records. Although placed third on MITRE’s list, there were four associated vulnerabilities listed on the Known Exploited Vulnerabilities (KEV) catalogue maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). XSS had three in the catalogue in 2024.

“This year’s list highlights firms’ increasing reliance on web-based technologies.”

Ed Williams, VP of SpiderLabs at Trustwave, says SQL injection is the most concerning CWE on the list. He cites the example of an SQL injection flaw in Zabbix, a widely used network monitoring solution. The vulnerability, tracked as CVE-2024-42327, has a CVSS rating of 9.9, “indicating its severe impact”, says Williams. The issue with this type of vulnerability is the ability for attackers to gain access to large amounts of data.

“Another problem is, attacks can be leveraged to gain access to the underlying operating system and further penetrate hosts and networks,” he tells Assured Intelligence.

As “a grey-haired cyber security professional”, Williams finds it “disappointing that we’re still seeing these vulnerabilities”. He points out that SQL injection-based attacks first emerged in around 1998.

“To me, this is now a solved problem with numerous well-documented mitigations,” he adds.

Firms should use parameterised queries, prepared statements to keep user input safe from SQL injection, he says.

CSRF – the biggest mover

CSRF exploits the trust relationship between a logged-in user’s browser and a website by tricking employees into submitting unauthorised requests. It was the biggest mover on the MITRE list in 2024, up five places from ninth to fourth. To help mitigate this type of weakness, firms can “use anti-CSRF tokens, implement SameSite cookies and perform strict origin checks”, says Qualys’ Abbasi.

At number five, path traversal sees attackers manipulate file paths to access files outside the authorised directory.

To prevent this type of exploit, it’s crucial to “implement proper input validation and canonicalise file paths”, Abbasi explains.

Turning information into action

The list makes for interesting reading, but it has a serious purpose. MITRE’s ranking aims to help organisations make informed decisions in software, security and risk management investments. After all, if firms are aware of and prioritise these weaknesses in their development and procurement processes, it helps prevent vulnerabilities that sit “at the core of the software lifecycle”, according to the non-profit.

“Sometimes the sheer volume of patches can be overwhelming, making it important to prioritise security fixes.”

So, to mitigate the risk of attackers taking advantage of these top 25 weaknesses, organisations need to ensure they are putting appropriate measures in place.

“Namely, education and awareness for development teams, sufficient scanning tooling such as static application security testing (SAST) based scanning, as well as having a robust security testing process,” Featurespace’s Wright says.

Another way to mitigate attacks is the principle of least privilege – the idea that each user or application must only be able to access what’s necessary to complete their assigned tasks, and no more.

“Limit database permissions to what’s absolutely necessary,” Trustwave’s Williams says.

Developer training helps to educate teams on prevention, along with regular testing and secure coding practices, he adds.

Firms also need to ensure they monitor for patching and security updates provided by vendors, Featurespace’s Wright says.

“Based on risk, install those updates within an appropriate time period,” he adds.

As part of these efforts, security teams must ensure they evaluate vulnerabilities in context.

“By this, I mean assessing factors such as the environment the software is running in, the type of data that the software processes, and who had access to the system,” Wright concludes. “Additionally, organisations need to determine their own risk levels. What might be acceptable to one company might not be to another.”