CybersecurityConnected & Cyber-Physical Devices Software LifecycleCWE

Common Weakness Enumeration

Community-maintained list of software and hardware weakness types, the underlying defects that cause CVEs.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

Common Weakness Enumeration (CWE) is a category system for software and hardware weaknesses maintained by MITRE on behalf of CISA. While a CVE identifies a specific vulnerability in a specific product, a CWE identifies the underlying weakness type, for example, CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), CWE-787 (Out-of-bounds Write), CWE-798 (Use of Hard-coded Credentials). The annual CWE Top 25 Most Dangerous Software Weaknesses ranks the most consequential weakness classes based on prevalence and severity in published CVEs.

What the regulation says

FDA's Premarket Cybersecurity guidance cites the CWE Top 25 as a reference for secure-coding rigor. IEC 81001-5-1 §5.3 expects manufacturers to identify and mitigate known weakness classes, with CWE as the typical evidence source.

What this means in practice

For medical device manufacturers, CWE is the link between secure-coding practices and the post-market vulnerability stream. Static analysis tools (SAST) report findings as CWEs; secure-coding training is structured around CWEs; threat models reference CWEs as the credible defect classes underlying STRIDE threats. Mapping your secure development controls to the CWE Top 25 is one of the cleanest ways to demonstrate IEC 81001-5-1 §5 conformance.

Common pitfalls

•Reporting SAST findings as raw tool output without normalizing to CWE, reviewers can't compare evidence across tools without it.
•Treating CWE Top 25 as exhaustive; many medical-device-relevant weaknesses (CWE-798 hardcoded credentials, CWE-1188 insecure default initialization) live outside the Top 25.
•Conflating CWE with CVE, CWE is the class of defect, CVE is one occurrence of it in a specific product.

Primary references

3 sources

Link health: 3 verified· last checked 2026-06-20

MITRE·2MDCG·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: CWE
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

Community-maintained list of software and hardware weakness types, the underlying defects that cause CVEs.

·For medical device manufacturers, CWE is the link between secure-coding practices and the post-market vulnerability stream.
·Static analysis tools (SAST) report findings as CWEs; secure-coding training is structured around CWEs; threat models reference CWEs as the credible defect classes underlying STRIDE threats.
·Mapping your secure development controls to the CWE Top 25 is one of the cleanest ways to demonstrate IEC 81001-5-1 §5 conformance.

Remember this

Watch out: Reporting SAST findings as raw tool output without normalizing to CWE, reviewers can't compare evidence across tools without it.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.