securityweek.com ByIonut Arghire| August 22, 2025 - MITRE has updated the list of Most Important Hardware Weaknesses to align it with evolving hardware security challenges.
The non-profit MITRE Corporation this week published a revised CWE Most Important Hardware Weaknesses (MIHW) to align it with the evolution of the hardware security landscape.
Initially released in 2021, the CWE MIHW list includes frequent errors that lead to critical hardware vulnerabilities, and is meant to raise awareness within the community, to help eradicate hardware flaws from the start.
The updated list includes 11 entries and comes with new classes, categories, and base weaknesses, but retains five of the entries that were included in the 2021 CWE MIHW list. It shows a focus on resource reuse, debug mode bugs, and fault injection.
‘CWE-226: Sensitive Information in Resource Not Removed Before Reuse’ is at the top of MITRE’s 2025 CWE MIHW list.
It refers to resources that are released and may be made available for reuse without being properly cleared. If memory, for example, is not cleared before it is made available to a different process, data could become available to less trustworthy parties.
“This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels,” CWE-226’s description reads.
Second on the revised list is ‘CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)’, which was at the top four years ago.
Other entries that were kept from the previous version of the list include ‘CWE-1191: On-Chip Debug and Test Interface With Improper Access Control’, ‘CWE-1256: Improper Restriction of Software Interfaces to Hardware Features’, ‘CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges’, and ‘CWE-1300: Improper Protection of Physical Side Channels’.
“These entries represent persistent challenges in hardware security that are both theoretically significant and commonly observed in practice. Their continued inclusion, even with the shift to a hybrid expert and data-driven selection process, underscores their ongoing importance,” MITRE notes.
Of the six new CWEs that made it to the revised MIHW list, two were added to the CWE after the 2021 MIHW list was released.
In addition to the 11 weaknesses included in the main MIHW list, MITRE warns of five others that are also highly important and could lead to serious security defects. These include four entries that were in the previous iteration of the list.
“Hardware weaknesses propagate upward: once embedded in silicon, they constrain software, firmware, and system-level mitigations. Engineers working at higher layers need to understand that some risks are inherited and may never be fully remediated at their level. That makes transparency from vendors, independent evaluation ecosystems, and better incentives for proactive security in design critical,” NCC Group managing security consultant Liz James said.
securityweek.com - The MITRE AADAPT framework provides documentation for identifying, investigating, and responding to weaknesses in digital asset payments.
The non-profit MITRE Corporation on Monday released Adversarial Actions in Digital Asset Payment Technologies (AADAPT), a cybersecurity framework designed to help the industry tackle weaknesses in cryptocurrency and other digital financial systems.
Modeled after the MITRE ATT&CK framework, AADAPT delivers a structured methodology that developers, financial organizations, and policymakers can use to find, investigate, and address risks in digital asset payments.
Insights that more than 150 sources from academia, government, and industry provided on real-world attacks on digital currencies and related technologies were used to create a playbook of adversarial TTPs linked to digital asset payment technologies.
The increased use of cryptocurrency has led to the emergence of sophisticated threats, such as phishing schemes, ransomware campaigns, and double-spending attacks, often with severe impact on organizations that lack cybersecurity resources, such as local governments and municipalities.
AADAPT is meant to help them enhance their stance through practical guidance and tools that specifically cover this financial market segment.
According to MITRE, AADAPT was founded on an in-depth review of underlying technologies such as smart contracts, distributed ledger technology (DLT) systems, consensus algorithms, and quantum computing, along with vulnerabilities and credible attack methods.
The tool supports critical use cases to help develop analytics for emulating threats, create detection techniques, compare insights, and assess security capabilities to prioritize decisions, essentially assisting stakeholders in adopting best practices.
“Digital payment assets like cryptocurrency are set to transform the future of global finance, but their security challenges cannot be ignored. With AADAPT, MITRE is empowering stakeholders to adopt robust security measures that not only safeguard their assets but also build trust across the ecosystem,” MITRE VP Wen Masters said.
A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract…
MITRE Vice President Yosry Barsoum has warned that U.S. government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs expires today, which could lead to widespread disruption across the global cybersecurity industry.
MITRE’s AI Incident Sharing initiative helps organizations receive and hand out data on real-world AI incidents.
Non-profit technology and R&D company MITRE has introduced a new mechanism that enables organizations to share intelligence on real-world AI-related incidents.
Shaped in collaboration with over 15 companies, the new AI Incident Sharing initiative aims to increase community knowledge of threats and defenses involving AI-enabled systems.
MITRE has just minted its 400th CNA, as the NVD struggles to tame its backlog of CVEs awaiting analysis, which has increased by 30% since June.
Foreign nation-state cyber adversaries are tenacious. Their attacks are evolving to get around the industry’s most sophisticated defenses. Last year was exploitation of routers, and this year’s theme has been compromise of edge protection devices.
MITRE, a company that strives to maintain the highest cybersecurity possible, is not immune.
Despite our commitment to safeguarding our digital assets, we’ve experienced a breach that underscores the nature of modern threats. In this blog post, we provide an initial account of the incident, outlining the tactics, techniques, and procedures (TTPs) employed by the adversaries, as well as some of our ongoing incident response efforts and recommendations for future steps to fortify your defenses.
The MITRE Corporation says a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days.
