For the first time since the annual list was first distributed in 2000, analysts have seen a shift from a vast majority of attacks targeting operating and email systems and web servers to application programs.
The study noted that the "most noticeable" set of applications targeted are backup, recovery and antivirus applications.
"We are seeing a trend to exploit not only Windows, but other vendor programs installed on large numbers of systems," said Rohit Dhamankar, lead security analyst for 3Com's Tipping Point Division.
"These include backup software, antivirus software, database software and even media players. Flaws in these programs put critical national and corporate resources at risk and have the potential to compromise the entire network."
The institute noted important statistic in the Top 20 list is new public awareness of vulnerabilities in network devices.
Jerry Dixon, US-CERT director, also said there is a change in cybercriminals' tactics.
"The US-CERT received reports of important system compromises using vulnerabilities in backup products within a few days of the public disclosure of vulnerabilities in those products," he said.