Dear CWE Community, The CWE™ Program is thrilled to announce the following program updates from April:
* CWE Version 4.17<https://cwe.mitre.org/news/archives/news2025.html#april03_CWE_Version_4_17_Now_Available> — CWE 4.17, released on April 3, 2025, includes 3 new weaknesses for “CWE-1428: Reliance on HTTP instead of HTTPS<https://cwe.mitre.org/data/definitions/1428.html>,” “CWE-1429: Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface<https://cwe.mitre.org/data/definitions/1429.html>,” and “CWE-1431: Driving Intermediate Cryptographic State/Results to Hardware Module Outputs<https://cwe.mitre.org/data/definitions/1431.html>;” major updates to the AI-related “CWE-1039: Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism<https://cwe.mitre.org/data/definitions/1039.html>” weakness; addition of affected languages to many demonstrative examples; miscellaneous changes to various CWE entries under less-analyzed subtrees; and, many other changes related to “usability improvements” (see next item below). * CWE Usability Improvements<https://cwe.mitre.org/news/archives/news2025.html#april03_CWE_Version_4_17_Now_Available> — The release of CWE 4.17<https://cwe.mitre.org/news/archives/news2025.html#april03_CWE_Version_4_17_Now_Available> includes the third installment of major usability improvements that are underway for the CWE website<https://medium.com/@CWE_CAPEC/major-usability-improvements-to-viewing-cwe-content-underway-359529b4b4a0>. For this latest installment, 20 CWE Entry pages have been upgraded and now include a concise summary of the weakness along with a visual aid at the top of each entry page (see the list of upgraded pages here<https://cwe.mitre.org/news/archives/news2025.html#april03_CWE_Version_4_17_Now_Available>). In addition, on all CWE entry pages increased separation was added between data elements and added a cleaner tabular format to reduce the “wall of text” effect for new users (see examples of the new and old table formats here<https://cwe.mitre.org/news/archives/news2025.html#april03_CWE_Version_4_17_Now_Available>). To view the first two installments of the major usability improvements, see the CWE 4.15<https://cwe.mitre.org/news/archives/news2024.html#july16_CWE_Version_4.15_Now_Available> and CWE 4.16<https://cwe.mitre.org/news/archives/news2024.html#november19_CWE_Version_4.16_Now_Available> release notes news articles. Additional usability improvements will be included in future releases. * “2024 CWE Top 10 KEV Weaknesses”<https://cwe.mitre.org/news/archives/news2025.html#april03_2024_CWE_Top_10_KEV_Weaknesseses_Now_Available> — Released on April 3, 2025, the “2024 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s<https://www.dhs.gov/cisa/cybersecurity-division/> (CISA) “Known Exploited Vulnerabilities (KEV) Catalog<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>,” is now available on the CWE website. Our analysis/key insights about the 2024 CWE Top 10 KEV Weaknesses<https://cwe.mitre.org/top25/archive/2024/2024_kev_list.html> list are available here<https://cwe.mitre.org/top25/archive/2024/2024_kev_insights.html>, and our methodology for creating the list is here<https://cwe.mitre.org/top25/archive/2024/2024_kev_methodology.html>. * CWE Content Development Repository (CDR)<https://cwe.mitre.org/news/archives/news2025.html#april03_CWE_Content_Development_Repository> — The CWE Content Development Repository (CDR)<https://github.com/CWE-CAPEC/CWE-Content-Development-Repository>, which enables the broader community to view, track, and contribute to the enhancement of the CWE corpus, is fully public as of April 3, 2025. This means greater transparency into the CWE working queue, and a further community collaboration in developing new CWE entries and modifying existing entries. Content suggestions begin with the CWE Submission Form<https://cwesubmission.mitre.org/>. Once processed, these submissions are transferred to the CDR public repository, allowing the entire CWE community to view and comment on them as they progress through various stages of development. View the CDR’s README<https://github.com/CWE-CAPEC/CWE-Content-Development-Repository/blob/main/README.md> and the Guidelines for Content Submissions<https://github.com/CWE-CAPEC/CWE-Content-Development-Repository/blob/main/documentation/submission-guidelines.md> for more details and to better understand the process. * New CWE Podcast Episode<https://cwe.mitre.org/news/podcast.html> — Published on April 15, the CWE Program’s latest podcast episode, “Root Cause Mapping and the CWE Top 25<https://youtu.be/8pe6w3PNpt8>,” informs the community about the value and history of the CWE Top 25 and which weaknesses moved up and down on the list, purpose and benefits of mapping the root causes of vulnerabilities identified in CVE Records to CWE weaknesses, methodology used for root cause mapping (RCM) of the 2024 CWE Top 25 to develop the list and how CVE Numbering Authorities (CNAs) were integral to the process, a discussion of follow-on Top 25 lists including the “On the Cusp” and “CWE Top 10 KEV Weaknesses” lists, and how to leverage the CWE website for RCM and the role of the RCM Working Group. * CWE on Bluesky<https://cwe.mitre.org/news/archives/news2025.html#april03_Follow_CWE_Program_on_Bluesky> — The CWE Program is now on Bluesky<https://bsky.app/>! Please follow us there for program news, new versions, updates on community activities, and more at @cweprogram.bsky.social<https://bsky.app/profile/cweprogram.bsky.social>. * Four CWE Talks at VulnCon 2025<https://cwe.mitre.org/news/archives/news2025.html#april03_Four_CWE_Talks_VulnCon_2025> — CWE<https://cwe.mitre.org/> was the main focus of four talks at CVE/FIRST VulnCon 2025<https://www.first.org/conference/vulncon2025/> held in Raleigh, North Carolina, USA, on April 7-10, 2025: o “Vulnerability Root Cause Mapping with CWE: Challenges, Solutions, and Insights from Grounded LLM-based Analysis<https://www.first.org/conference/vulncon2025/program#pVulnerability-Root-Cause-Mapping-with-CWE-Challenges-Solutions-and-Insights-from-Grounded-LLM-based-Analysis>” by Alec Summers of the CWE Program and Chris Madden of Yahoo o “Lessons Learned From Assigning CWE’s to Test Items for Security Assessments<https://www.first.org/conference/vulncon2025/program#pLessons-Learned-From-Assigning-CWE-s-to-Test-Items-for-Security-Assessments>” by Yuichi Kikuchi and Takayuki Uchiyama of Panasonic PSIRT o “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?<https://www.first.org/conference/vulncon2025/program#pHow-Do-We-Leverage-CVE-Root-Cause-Mapping-and-CWE-Data-to-Prevent-New-Vulnerabilities>” by Alexander Bushkin and Jeremy West of Red Hat o “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry (Virtual)<https://www.first.org/conference/vulncon2025/program#pHard-Problems-in-CWE-and-What-it-Tells-us-about-Hard-Problems-in-the-Industry>” by Steve Christey Coley of the CWE Program We are really excited about these new releases, the numerous useability improvements to the CWE entry pages and the overall CWE website, our new community collaboration platform, and our community engagements. On behalf of the CWE Team, thank you for your continued support of the CWE Program. Cheers, Alec -- Alec J. Summers Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration Center for Securing the Homeland (CSH) –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™
