A02:2025 — Security Misconfiguration
Verified by Precogs Threat Research
What is Security Misconfiguration (OWASP A02:2025)?
Missing or incorrect security hardening across the application stack: default accounts/passwords, unnecessary features enabled, overly permissive cloud storage, verbose error messages, and misconfigured HTTP headers or CORS policies. Moved up significantly in 2025, reflecting its increased prevalence in modern cloud-native applications.
Impact
Moved up to #2 in 2025 from #5 in 2021, reflecting widespread misconfiguration in cloud-native and containerized deployments. Often the easiest vulnerability to exploit — no special tools required.
How Precogs AI Addresses A02
Precogs AI detects security misconfigurations in compiled applications, container images, and IaC templates including default credentials, permissive CORS, and missing security headers.