The MITRE Corporation recently announced the availability of the 2025 Most Important Hardware Weakness (MIHW) list. This is the first data-driven list of root-cause hardware security weaknesses ever created, and I am really excited to see it finally released. This list was developed through a cross industry collaboration of security experts, and I was grateful to be a part of the effort.
What is CWE?
The Common Weakness Enumeration (CWE) is a MITRE-maintained but industry developed public database of root cause weaknesses. Its history stems from about 2006 in the software domain, and it is widely used across the software security ecosystem for enabling security development lifecycles (SDLs) and better categorization of the root causes of publicly disclosed Common Vulnerabilities and Exposures (CVEs).
In 2020, hardware weaknesses were introduced to the CWE ecosystem, filling an extremely important, missing gap in the way organizations classify hardware vulnerabilities and providing needed infrastructure for the hardware security development lifecycle (HSDL).
A year after hardware weaknesses were introduced, the industry immediately started looking for guidance on how to prioritize these weaknesses. To address this need, I participated in the creation of the first ever “Most Important Hardware Weaknesses” list in 2021. This data was a huge first step to help with prioritizing weaknesses. However, as time went on, many within the hardware security community quickly noticed that most of the data for the 2021 weakness list was from surveys only. With the increasing number of public disclosures of vulnerabilities and security advisories, we unanimously agreed that a refresh to this list based on real vulnerability data was needed.
What is the 2025 MIHW List?
The 2025 MIWH list categorizes weaknesses that should be treated with the highest priority by the industry. The list is a refresh of the original list created in 2021, specifically by using industry-available security advisories and vulnerabilities to support each weakness’s importance with real data.
How was the MIHW list created?
The 2025 list was created by a working group of 15-20 individuals across the hardware security industry, including myself. The working group dug through hundreds of security advisories and publicly disclosed vulnerabilities (CVEs) and performed root-cause weakness mapping for each (when needed). Some CVEs and advisories already had CWE entries added, which was great! However, many did not and the working group was tasked with assigning the most suitable one.
We also surveyed industry experts to ensure nothing was missing. For example, a new weakness may have been created based on very recent security disclosures. We wanted to make sure we did not miss this type of information in our final results.
MITRE did a great job of documenting the complete methodology on this page, for those that are interested in the details: https://cwe.mitre.org/topHW/archive/2025/2025_MIHW_methodology.html.
How should I use the MIHW list?
To me, the #1 benefit of the 2025 MIHW list is to provide industry stakeholders with better prioritization of root-cause weaknesses. With 110 hardware weaknesses available in hardware CWE as of writing this blog, it’s challenging for many new to security to sift through and identify where to start. The MIHW really provides much clearer guidance on exactly how to go about this prioritization because it is based on real vulnerabilities and security advisories.
How can Cycuity help?
Cycuity’s Radix software has broad hardware CWE coverage, covering about 80% of all hardware CWEs. In addition, Radix covers 9 out of the 11 MIHW in the 2025 list – making it a great solution for providing a systematic approach to hardware security assurance. More details on Radix can be found here: https://cycuity.com/solutions/#how-radix-is-different.