Knowing your weaknesses is your greatest strength: Mapping CVE to CWE by leveraging CWE Hierarchy and LLMs

Effective defense against threat actors requires that security professionals accurately identify the underlying weaknesses associated with common vulnerabilities and exposures (CVEs). This understanding is crucial for deploying appropriate defensive mechanisms and prioritizing remediation efforts. However, manually mapping CVEs to common weakness enumerations (CWEs) has become increasingly impractical due to the rapid increase of new CVEs and the extensive, complex CWE taxonomy. In 2025, the number of CVEs that are waiting for analysis exceeded 24,000.

To automate the mapping between CVEs and CWEs, we propose to leverage two insights. To harness the power of large language models, we first fine-tune different language models to perform this mapping based on the vulnerability-to-weakness relation. Second, we propose a supervised framework leveraging the hierarchical structure of CWEs, where we first categorize vulnerabilities into broad CWE classes (e.g., Injection, Buffer Overflow), which helps capture high-level patterns, and then utilizes specialized subnetworks to distinguish fine-grained differences within each class.

Evaluated on a benchmark that covers 95% of all CVEs associated with a CWE, our approach improves F1‑score by more than 6.2% over the best prior supervised method, demonstrating the value of combining model fine‑tuning with hierarchy‑aware classification.