2 – Security misconfiguration
Security settings are not properly defined, implemented, or maintained, leaving systems exposed to attack. Common examples include default credentials that are never changed, unnecessary features left enabled, verbose error messages that reveal sensitive information, or cloud storage buckets left publicly accessible. This vulnerability jumped from fifth place in 2021 to second place in 2025.
3 – Software supply chain failures
Attackers compromise software during the build, distribution or updates to inject malicious code that gets distributed to multiple organizations. For example, attackers might compromise a popular open-source library and inject malicious code that then gets incorporated into thousands of applications that depend on it or breach a vendor’s system to insert backdoors into legitimate software updates. This is a new list item, though there was a narrower related item in 2021 — vulnerable and outdated components.
“Developers have become a primary target for many online attacks now,” says Janca. “It is no longer a problem of including a library that has a questionable dependency.” Instead, she says, there are now active attacks against the IDE, against the CI/CD pipeline, against plugins and repositories, against developer workstations, and more. “The entire software supply chain is currently a focus for attackers,” she says.
