securityweek.com ByIonut Arghire| August 22, 2025 - MITRE has updated the list of Most Important Hardware Weaknesses to align it with evolving hardware security challenges.
The non-profit MITRE Corporation this week published a revised CWE Most Important Hardware Weaknesses (MIHW) to align it with the evolution of the hardware security landscape.
Initially released in 2021, the CWE MIHW list includes frequent errors that lead to critical hardware vulnerabilities, and is meant to raise awareness within the community, to help eradicate hardware flaws from the start.
The updated list includes 11 entries and comes with new classes, categories, and base weaknesses, but retains five of the entries that were included in the 2021 CWE MIHW list. It shows a focus on resource reuse, debug mode bugs, and fault injection.
‘CWE-226: Sensitive Information in Resource Not Removed Before Reuse’ is at the top of MITRE’s 2025 CWE MIHW list.
It refers to resources that are released and may be made available for reuse without being properly cleared. If memory, for example, is not cleared before it is made available to a different process, data could become available to less trustworthy parties.
“This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels,” CWE-226’s description reads.
Second on the revised list is ‘CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)’, which was at the top four years ago.
Other entries that were kept from the previous version of the list include ‘CWE-1191: On-Chip Debug and Test Interface With Improper Access Control’, ‘CWE-1256: Improper Restriction of Software Interfaces to Hardware Features’, ‘CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges’, and ‘CWE-1300: Improper Protection of Physical Side Channels’.
“These entries represent persistent challenges in hardware security that are both theoretically significant and commonly observed in practice. Their continued inclusion, even with the shift to a hybrid expert and data-driven selection process, underscores their ongoing importance,” MITRE notes.
Of the six new CWEs that made it to the revised MIHW list, two were added to the CWE after the 2021 MIHW list was released.
In addition to the 11 weaknesses included in the main MIHW list, MITRE warns of five others that are also highly important and could lead to serious security defects. These include four entries that were in the previous iteration of the list.
“Hardware weaknesses propagate upward: once embedded in silicon, they constrain software, firmware, and system-level mitigations. Engineers working at higher layers need to understand that some risks are inherited and may never be fully remediated at their level. That makes transparency from vendors, independent evaluation ecosystems, and better incentives for proactive security in design critical,” NCC Group managing security consultant Liz James said.
Key findings Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727. Proofpoint identified a new
ClickFix fake browser updates are being distributed by bogus WordPress plugins. Learn about the common indicators of compromise.
Chinese hacking group Evasive Panda compromises ISP to push malware, targeting companies through DNS poisoning and insecure update mechanisms.
Apple on Monday announced a hefty round of security updates that address dozens of vulnerabilities impacting both newer and older iOS and macOS devices.
iOS 17.6 and iPadOS 17.6 were released for the latest generation iPhone and iPad devices with fixes for 35 security defects that could lead to authentication and policy bypasses, unexpected application termination or system shutdown, information disclosure, denial-of-service (DoS), and memory leaks.
The Internet Systems Consortium (ISC) released BIND security updates that fixed remotely exploitable DoS bugs in the DNS software suite.
Researchers have discovered several vulnerabilities in popular WordPress plugins that allow attackers to create rogue admin accounts.
#attacks #breach #computer #cyber #data #hack #hacker #hacking #how #information #malware #network #news #ransomware #security #software #the #to #today #updates #vulnerability
Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers.
Researchers uncover a fresh wave of the Raspberry Robin campaign spreading malware through malicious Windows Script Files (WSFs) since March 2024.
#attacks #breach #computer #cyber #data #hack #hacker #hacking #how #information #malware #network #news #ransomware #security #software #the #to #today #updates #vulnerability
Apple has released patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address multiple vulnerabilities.
Windows 10's end-of-support date is October 14, 2025. That's the day that most Windows 10 PCs will receive their last security update and the date when most people should find a way to move to Windows 11 to ensure that they stay secure.
As it has done for other stubbornly popular versions of Windows, though, Microsoft is offering a reprieve for those who want or need to stay on Windows 10: three additional years of security updates, provided to those who can pay for the Extended Security Updates (ESU) program.
There are several malicious fake updates campaigns being run across thousands of compromised websites. Here I will walk through one with a pattern that doesn’t match with others I’ve been tracking. This campaign appears to have started around July 19th, 2023. Based on a search on PublicWWW of the injection base64 there are at least 434 infected sites.
I’m calling this one ClearFake until I see a previously used name for it. The name is a reference to the majority of the Javascript being used without obfuscation. I say majority because base64 is used three times. That’s it. All the variable names are in the clear, no obfuscation on them.
One noticeable difference from SocGholish is that there appears to be no tracking of visits by IP or cookies. As an analyst you can you go back to the compromised site over and over coming from the same IP and not clearing your browser cache. This also means the site owner is more likely to see the infection as well.
Compromised websites are being used to redirect to fake browser updates and deliver malware onto Mac users.
Apple has released emergency security updates to address two new zero-day vulnerabilities exploited in attacks to compromise iPhones, Macs, and iPads.
Apple has launched its recent major security updates to the whole world.
Expected in Ventura 13.1 is a new lightweight system for applying security patches. This article explains how it uses cryptexes, already being used in macOS 13.
True or false? Apple supports macOS for three years. Apple’s security updates are sufficient. New versions of macOS are full of bugs. It’s safer to delay upgrading.
