F5 Labs Top CWEs, CWE OWASP Top Ten Analysis, & May 2025 CVE Trends

For May’s vulnerability analysis (https://www.f5.com/labs/articles/threat-intelligence/f5-labs-top-cwes-owasp-top-ten-analysis), we examine the top ten CVEs most targeted, highlighting notable shifts and ongoing trends in exploitation activity. We also analyze a year’s worth of targeted CVE traffic using the main Common Weakness Enumerations (CWEs) and the OWASP Top Ten categories.

 

CWE Refresher

Highlights:

• CWE-94: Code Injection - An attacker crafts an HTTP request with malicious content that is directly evaluated or executed by the server resulting in Remote Code Execution.

• CWE-77: Command Injection - An attacker supplies input in an HTTP request that is unsafely concatenated into a system command resulting in Remote Code Execution.

 

F5 Labs Top CWEs

Highlights:

• CWE-94 Code Injection ranks highest due to the outsized influence of CVE-2017-9841.

• CWE-77 Command Injection comes in second and represents the greatest diversity of CVEs in the F5 Labs Top CWEs.

Excerpt:

 

F5 Labs OWASP Top Ten CWEs

Highlights:

• A03:2021 – Injection is the clear leader in observed CVE traffic.

• Counter-intuitively A01:2021 - Broken Access Control is relatively underrepresented. This is because many of the CVEs analyzed were missing proper access control, but only as secondary CWE root causes.

• Many OWASP categories have no attributed CVE traffic. This is because OWASP categorization reflects the holistic security needs of developing software, which does not necessarily correlate with CVEs that see mass exploitation.

• Some CVE don't fit the current OWASP Top Ten, e.g. buffer overflows weaknesses.

Excerpt:

CVE Trend Takaways

• CVE-2017-9841 PHPUnit RCE holds steady as the most targeted vulnerability.

• https://www.f5.com/labs/articles/threat-intelligence/f5-labs-top-cwes-owasp-top-ten-analysishttps://www.f5.com/labs/articles/threat-intelligence/f5-labs-top-cwes-owasp-top-ten-analysisCVE-2024-3721 TBK DVR Injection saw a large increase in targeting, a 0.2 jump in EPSS, and was reported by Kaspersky as being targeted by a new Mirai variant.

• CVE-2020-8958 Guangzhou ONU Command Injection RCE targeting is the most significant new trend to watch.

 

Conclusion

Observed CVE targeting in May 2025 held consistent with recent trending, with a slight uptick in overall activity. We reported significant increases in activity CVE-2020-8958 (Guangzhou ONU Command Injection) and CVE-2024-3721 (TBK DVR OS Command Injection) and speculated that the latter is likely due to a Mirai variant. Analysis of twelve months of CVE targeting attributed to Common Weakness Enumeration (CWE) and OWASP Top Ten categories indicate a continued bias by attackers towards injection vulnerabilities leading to Remote Code Execution outcomes, specifically CWE-94 (Code Injection) and CWE-77 (Command Injection). There were some surprises to our CWE and OWASP Top Ten analysis which we addressed in their respective sections in the main article ((https://www.f5.com/labs/articles/threat-intelligence/f5-labs-top-cwes-owasp-top-ten-analysis).