Blog

December 11, 2025

What Is CWE? Overview + CWE Top 25

Security & Compliance,

Software Quality

CWE and CWE Top 25 secure coding practices help you safeguard your code against rising software security risks. Here we explain what is CWE and the CWE Top 25.

Read along or jump ahead to the section that interests you the most:

Table of Contents

  1. What Is CWE?
  2. What Is CWE Top 25?
  3. How to Ensure CWE Security with Static Analysis?
  4. Use Perforce Klocwork to Enforce Software Security

➡️ Ensure CWE Security with Klocwork

Back to top

What Is CWE?

Common Weakness Enumeration (CWE) list identifies software security weaknesses in software and hardware. This includes C, C++, and Java. The list is compiled by feedback from the CWE Community.

Sponsored by the MITRE Corporation, the community is made up of representatives from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions.

The full list is regularly updated every few months. The security weakness list includes over 600 categories, which include:

📕 Related Resource: Learn about the top embedded security vulnerabilities.

CWE Mapping

There are many weaknesses that can be mapped to other guidelines and standards. For example, MITRE correlates specific vulnerabilities (CVEs) to their root causes (CWEs) to help developers understand what happened and why, and propose systematic fixes. 

Other organizations, like MISRA®, also address CWE mapping. In a recent MISRA C addendum, MISRA provides a mapping of CWE against MISRA C:2025

Back to top

What Is CWE Top 25?

Published by MITRE, the CWE Top 25 is a compilation of the most widespread and critical weaknesses that could lead to severe software vulnerabilities. While the CWE Most Important Hardware Weaknesses (MIHW) focuses on fundamental flaws of hardware design at the root cause, CWE Top 25 Most Dangerous Software Weaknesses list highlights the most severe and prevalent weaknesses in software behind the 31,770 CVE records. Both are important for embedded systems. Since security vulnerabilities are often introduced early in the software development lifecycle, software developers should review the CWE Top 25 and apply DevSecOps best practices and tools that enforce CWE — like static code analyzers — to shift-left and get to market faster. 

DevSecOps 101 eBook 

Embedded Developers: Get Started with DevSecOps 

Bring security in line with the speed of development. Download the eBook to learn about CWE and more! 

Get the DevSecOps Guide

The most recent CWE Top 25 software weaknesses list was published in 2025 and listed vulnerabilities that allowed hackers to gain control over an affected system, steal sensitive data, and cause a denial-of-service condition.

CWE Top 25

Here is the list of the 2025 CWE Top 25 software weaknesses:

  1. Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”)
  2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  3. Cross-Site Request Forgery (CSRF)
  4. Missing Authorization
  5. Out-of-bounds Write
  6. Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
  7. Use After Free
  8. Out-of-bounds Read
  9. Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection")
  10. Improper Control of Generation of Code ("Code Injection")
  11. Buffer Copy without Checking Size of Input ("Classic Buffer Overflow")
  12. Unrestricted Upload File with Dangerous Type
  13. NULL Pointer Deference
  14. Stack-based Buffer Overflow
  15. Deserialization of Untrusted Data
  16. Heap-based Buffer Overflow
  17. Incorrect Authorization
  18. Improper Input Validation
  19. Improper Access Control
  20. Exposure of Sensitive Information to an Unauthorized Actor
  21. Missing Authentication for Critical Function
  22. Server-Side Request Forgery (SSRF)
  23. Improper Neutralization of Special Elements used in a Command ("Command Injection")
  24. Authorization Bypass Through User-Controlled Key
  25. Allocation of Resources Without Limits or Throttling
Back to top

How to Ensure CWE Security with Static Analysis?

The best way to ensure that your code is secure is to use a SAST tool, like Perforce Klocwork.

SAST tools identify and eliminate security vulnerabilities and software defects early on in development. This helps to ensure that your software is secure, reliable, and compliant.

Klocwork helps you:

  • Identify and analyze security risks and prioritizes severity.
  • Fulfill compliance standard requirements.
  • Apply and enforce coding standards.
  • Verify and validate through testing.
  • Achieve compliance and get certified faster.
📕 Related Resource: Review the SAST tutorial for additional software security resources.

 

Back to top

Use Perforce Klocwork to Enforce Software Security

See for yourself how Klocwork can help you enforce software security standards: Sign up for your free trial today! 

Register for a Klocwork Free Trial

Back to top