Why we are still patching the same vulnerabilities we were twenty years ago
Another year, another list of reasons why your network is probably unsafe. MITRE and CISA have released the 2025 CWE Top 25 Most Dangerous Software Weaknesses, based on a rigorous analysis of over 39,000 CVEs. If you were hoping for a list populated by complex, AI-driven, futuristic exploits, I have bad news for you. It is the same plywood and duct tape we have been battling since the 90s. From Cross-Site Scripting to SQL Injection, the data shows we are still struggling to lock the front door. Let’s take a look at what’s breaking your infrastructure this year.
The Usual Suspects Refuse to Die
Welcome to the 2025 edition of “Why Can’t We Have Nice Things.” MITRE and CISA recently crunched the numbers on over 39,000 CVE records, and the results are a depressing testament to our collective inability to learn. Sitting comfortably at number one is Cross-site Scripting (CWE-79), with SQL Injection (CWE-89) right behind it. We have had secure coding seminars for twenty years. We have static analysis tools. Yet, developers are still taking raw input from the internet and piping it directly into their databases. It is the digital equivalent of eating off the floor in a subway station; you know it is going to end badly, but you do it anyway.
Here is the full leaderboard of shame for 2025:
| Rank | ID | Name | Score | Change |
|---|---|---|---|---|
| 1 | CWE-79 | Cross-site Scripting | 60.38 | 0 |
| 2 | CWE-89 | SQL Injection | 28.72 | +1 |
| 3 | CWE-352 | Cross-Site Request Forgery (CSRF) | 13.64 | +1 |
| 4 | CWE-862 | Missing Authorization | 13.28 | +5 |
| 5 | CWE-787 | Out-of-bounds Write | 12.68 | -3 |
| 6 | CWE-22 | Path Traversal | 8.99 | -1 |
| 7 | CWE-416 | Use After Free | 8.47 | +1 |
| 8 | CWE-125 | Out-of-bounds Read | 7.88 | -2 |
| 9 | CWE-78 | OS Command Injection | 7.85 | -2 |
| 10 | CWE-94 | Code Injection | 7.57 | +1 |
| 11 | CWE-120 | Classic Buffer Overflow | 6.96 | N/A |
| 12 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 6.87 | -2 |
| 13 | CWE-476 | NULL Pointer Dereference | 6.41 | +8 |
| 14 | CWE-121 | Stack-based Buffer Overflow | 5.75 | N/A |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.23 | +1 |
| 16 | CWE-122 | Heap-based Buffer Overflow | 5.21 | N/A |
| 17 | CWE-863 | Incorrect Authorization | 4.14 | +1 |
| 18 | CWE-20 | Improper Input Validation | 4.09 | -6 |
| 19 | CWE-284 | Improper Access Control | 4.07 | N/A |
| 20 | CWE-200 | Exposure of Sensitive Information | 4.01 | -3 |
| 21 | CWE-306 | Missing Authentication for Critical Function | 3.47 | +4 |
| 22 | CWE-918 | Server-Side Request Forgery (SSRF) | 3.36 | -3 |
| 23 | CWE-77 | Command Injection | 3.15 | -10 |
| 24 | CWE-639 | Authorization Bypass via User-Controlled Key | 2.62 | +6 |
| 25 | CWE-770 | Allocation of Resources w/o Limits or Throttling | 2.54 | +1 |
It is not just about web forms and shopping carts. Look at the “Velvet Ant” campaign. We saw state-sponsored actors exploiting OS Command Injection (CWE-78) and Path Traversal (CWE-22) to turn Cisco and Palo Alto edge devices into their personal playgrounds. These devices are supposed to be the armoured perimeter of your network, yet they are riddled with holes that let users run scripts on the server. It is broken. When you allow unvalidated input to execute commands, you aren’t just opening a window; you are handing the intruder a sledgehammer and a map. We are still patching vulnerabilities that should have gone extinct with the floppy disk, all because we refuse to sanitise our inputs. But while these “loud” vulnerabilities grab the headlines, there is a much more insidious trend climbing up the charts that represents a fundamental failure in how we define trust.
The Rise of the Uninvited Guest
If Cross-site Scripting is the cockroach that won’t die, Authorization failures are the termites eating your infrastructure from the inside out. When you look past the top spots on the MITRE list, the biggest movers tell a depressing story about how we manage identity. Missing Authorization (CWE-862) rocketed up five spots to sit comfortably at number four, while Missing Authentication for Critical Function (CWE-306) climbed four spots to number twenty-one.
This isn’t a coincidence; it is a symptom of complexity. As we fracture our monoliths into microservices and APIs, developers are forgetting to check if the person knocking at the door is actually allowed in the room. We have created the digital equivalent of a bank guard who checks your driver’s licence at the front door, compliments your photo, and then watches passively as you stroll unescorted into the vault to start stuffing cash into a duffel bag. We are obsessed with the “front door” login screen, yet we consistently fail to enforce what happens after the click.
As highlighted in our look at Protecting Against the OWASP Top 10 Web Application Vulnerabilities, broken access control remains a persistent plague because it is harder to automate than a syntax check. Developers often treat authentication like a VIP wristband that grants an all-access pass, rather than a specific ticket for a specific seat. We need precise authorisation, not just a binary “you are in.” Checking ID at the perimeter is useless if your internal doors are made of bead curtains. If you aren’t verifying permission on every single request — checking the identity against the specific function — you aren’t secure. You are just running a very expensive open house for bad actors.
Memory Lane is a Minefield
If the resurgence of basic authorization failures didn’t make you reach for a stiff drink, this next part might. We are officially walking down memory lane, and unfortunately, it is a minefield. The “new” entries on the 2025 list are actually ancient history that refused to stay buried. Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow (CWE-121), and Heap-based Buffer Overflow (CWE-122) have re-entered the chat.
It is frankly embarrassing. We are seeing these return because the industry is still addicted to legacy languages and porous code. While CISA is shouting from the rooftops about Secure by Design, the reality is that we are building modern digital skyscrapers on foundations made of balsa wood. We know we should use memory-safe languages, but legacy debt is a heavy anchor.
Here is the cynical truth: we clearly cannot write perfect code. The fact that this list exists in 2025 is proof enough. Developers are human; they make typos. The problem is that in C++, a typo allows a bad actor to overwrite memory and execute arbitrary code. So, we need to stop relying on the application to protect itself. It is not working.
The only way to win this game is to remove the attack surface entirely using a Zero Trust architecture. If the bad actors cannot reach the vulnerability because it is hidden behind an Identity-Aware Proxy, they cannot exploit the buffer overflow. It is that simple. We saw this with the Velvet Ant campaigns targeting Cisco and Palo Alto edge devices; the perimeter security device was the vulnerability. Relying on firewalls and frantic weekend patching is a losing game. You need to make your infrastructure invisible to the unauthenticated internet, or you will be patching these same bugs in 2045.
Conclusions
So, what have we learned from the class of 2025? Mostly that we haven’t learned much. The return of buffer overflows and the sharp rise in missing authorisation checks proves that relying on developers to write perfect code is a strategy for failure. The ‘Secure by Design’ initiative is great, but it won’t patch the legacy junk you have running today. The only way to win is to stop trusting the network. Hide your applications, enforce identity at every request, and assume your code is broken — because, according to this list, it probably is.