securityweek.com ByIonut Arghire| August 22, 2025 - MITRE has updated the list of Most Important Hardware Weaknesses to align it with evolving hardware security challenges.
The non-profit MITRE Corporation this week published a revised CWE Most Important Hardware Weaknesses (MIHW) to align it with the evolution of the hardware security landscape.
Initially released in 2021, the CWE MIHW list includes frequent errors that lead to critical hardware vulnerabilities, and is meant to raise awareness within the community, to help eradicate hardware flaws from the start.
The updated list includes 11 entries and comes with new classes, categories, and base weaknesses, but retains five of the entries that were included in the 2021 CWE MIHW list. It shows a focus on resource reuse, debug mode bugs, and fault injection.
‘CWE-226: Sensitive Information in Resource Not Removed Before Reuse’ is at the top of MITRE’s 2025 CWE MIHW list.
It refers to resources that are released and may be made available for reuse without being properly cleared. If memory, for example, is not cleared before it is made available to a different process, data could become available to less trustworthy parties.
“This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels,” CWE-226’s description reads.
Second on the revised list is ‘CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)’, which was at the top four years ago.
Other entries that were kept from the previous version of the list include ‘CWE-1191: On-Chip Debug and Test Interface With Improper Access Control’, ‘CWE-1256: Improper Restriction of Software Interfaces to Hardware Features’, ‘CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges’, and ‘CWE-1300: Improper Protection of Physical Side Channels’.
“These entries represent persistent challenges in hardware security that are both theoretically significant and commonly observed in practice. Their continued inclusion, even with the shift to a hybrid expert and data-driven selection process, underscores their ongoing importance,” MITRE notes.
Of the six new CWEs that made it to the revised MIHW list, two were added to the CWE after the 2021 MIHW list was released.
In addition to the 11 weaknesses included in the main MIHW list, MITRE warns of five others that are also highly important and could lead to serious security defects. These include four entries that were in the previous iteration of the list.
“Hardware weaknesses propagate upward: once embedded in silicon, they constrain software, firmware, and system-level mitigations. Engineers working at higher layers need to understand that some risks are inherited and may never be fully remediated at their level. That makes transparency from vendors, independent evaluation ecosystems, and better incentives for proactive security in design critical,” NCC Group managing security consultant Liz James said.
Ledger has warned that scammers are mailing letters that appear to be from the company to users of its hardware wallets in an attempt to swipe crypto.
Scammers are mailing physical letters to the owners of Ledger crypto hardware wallets asking them to validate their private seed phrases in a bid to access the wallets to clean them out.
In an April 29 X post, tech commentator Jacob Canfield shared a scam letter sent to his home via post that appeared to be from Ledger claiming he needed to immediately perform a “critical security update” on his device.
The letter, which uses Ledger’s logo, business address, and a reference number to feign legitimacy, asks to scan a QR code and enter the wallet’s private recovery phrase under the guise of validating the device.
The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented
On November 25, 2024, a third party, from SECURE NETWORK BVTECH, reported the D-Link DSL-3788 hardware revision B2 with firmware version vDSL-3788_fw_revA1_1.01R1B036_EU_EN or below, of a Unauthenticated Remote Code Execution (RCE) vulnerability.
When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches. Patches were release within the 90-day of the report of the vulnerabilities.
More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.
D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported.
Academic researchers developed ZenHammer, the first variant of the Rowhammer DRAM attack that works on CPUs based on recent AMD Zen microarchitecture that map physical addresses on DDR4 and DDR5 memory chips.
Fake hardware cryptowallet, and how bitcoins were stolen from it.
