Write out of bounds is the most dangerous software vulnerability according to the US

The US government has ranked the most common and significant software weaknesses that lead to dangerous vulnerabilities in systems and applications.

List CWE Top 25 was prepared by experts from the HSSEDI Institute (Homeland Security Systems Engineering and Development Institute), operating under the auspices of the Department of Homeland Security and the non-profit organization MITER.

CWE (Common Weakness Enumeration) is a standard that describes the types of software vulnerabilities, such as errors, bugs, flaws, and others. CWE is different from CVE (Common Vulnerabilities and Exposures), which assigns a number to each specific vulnerability found in software.

The CWE Top 25 list is calculated by analyzing public vulnerability data in the National Vulnerability Database ( National Vulnerability Database, NVD ) for the last 2 calendar years. It also takes into account data on vulnerabilities that were exploited by attackers in real attacks, according to the Catalog of Known Exploited Vulnerabilities CISA ( Known Exploited Vulnerabilities, KEV ).

• At the top of the ranking – recording out of boundswhich can lead to buffer overflows and arbitrary code execution.
• In second place – cross site scripting (XSS), which allows you to inject malicious code into web pages and steal user data.
• On the third place – SQL injectionwhich allows you to perform arbitrary database queries and access confidential information.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends that developers and product security teams review the CWE Top 25 list and take the necessary steps to prevent or mitigate the risk of vulnerabilities. The agency also plans to publish additional articles on rating methodology, vulnerability mapping trends, and other useful topics.

US cybersecurity agencies CISA and NSA stated in their recent joint guidance that baseboard management controllers (BMCs) are a weak link in critical infrastructure systems that can be exploited by attackers to gain access to networks and data.

BMC makes it possible to remotely manage and control computers and servers even when the system is turned off. However, due to their high level of privilege and accessibility from the network, these devices often attract the attention of attackers who can use them as an entry point for various cyber attacks.

Recall that the popular repository for NPM developers suffers from a security problem called Manifest Confusion, which undermines trust in packages and allows attackers to hide malicious code in dependencies or execute malicious scripts when installing packages.