CISA’s Identified Exploited Vulnerabilities (KEV) catalog grew by 20% in 2025, together with 24 vulnerabilities exploited by ransomware teams.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) added 245 vulnerabilities to its Identified Exploited Vulnerabilities (KEV) catalog in 2025, because the database grew to 1,484 software program and {hardware} flaws at excessive danger of cyberattacks.
The company eliminated no less than one vulnerability from the catalog in 2025 – CVE-2025-6264, a Velociraptor Incorrect Default Permissions vulnerability that CISA decided had inadequate proof of exploitation – however the database has usually grown steadily since its launch in November 2021.
After an preliminary surge of added vulnerabilities after the database first launched, development stabilized in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 in 2024.
Progress accelerated in 2025, nevertheless, as CISA added 245 vulnerabilities to the KEV catalog, a rise of greater than 30% above the pattern seen in 2023 and 2024. With new vulnerabilities surging in current weeks, the elevated exploitation pattern could effectively proceed into 2026.
Total, CISA KEV vulnerabilities grew from 1,239 vulnerabilities on the finish of 2024 to 1,484 on the finish of 2025, a rise of slightly below 20%.
We’ll have a look at a few of the developments and vulnerabilities from 2025 – together with 24 vulnerabilities recognized to be exploited by ransomware teams – together with the distributors and initiatives that had probably the most CVEs added to the record this yr.
Older Vulnerabilities Added to CISA KEV Additionally Grew
The addition of older vulnerabilities to the CISA KEV catalog additionally grew in 2025. In 2023 and 2024, 60 to 70 older vulnerabilities had been added to the KEV catalog annually. In 2025, the variety of vulnerabilities from 2024 and earlier added to the catalog grew to 94, a 34% improve from a yr earlier.
The oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Workplace Excel Distant Code Execution vulnerability.
The oldest vulnerability within the catalog stays one from 2002 – CVE-2002-0367, a privilege escalation vulnerability within the Home windows NT and Home windows 2000 smss.exe debugging subsystem that has been recognized for use in ransomware assaults.
Vulnerabilities Utilized in Ransomware Assaults
CISA marked 24 of the vulnerabilities added in 2025 as recognized to be exploited by ransomware teams. They embody some well-known flaws similar to CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Enterprise Suite vulnerabilities exploited by the CL0P ransomware group.
The total record of vulnerabilities newly exploited by ransomware teams in 2025 is included under, and must be prioritized by safety groups if they’re not but patched.
| Vulnerabilities Exploited by Ransomware Teams | |
| CVE-2025-5777 | Citrix NetScaler ADC and Gateway Out-of-Bounds Learn |
| CVE-2025-31161 | CrushFTP Authentication Bypass |
| CVE-2019-6693 | Fortinet FortiOS Use of Exhausting-Coded Credentials |
| CVE-2025-24472 | Fortinet FortiOS and FortiProxy Authentication Bypass |
| CVE-2024-55591 | Fortinet FortiOS and FortiProxy Authentication Bypass |
| CVE-2025-10035 | Fortra GoAnywhere MFT Deserialization of Untrusted Knowledge |
| CVE-2025-22457 | Ivanti Join Safe, Coverage Safe, and ZTA Gateways Stack-Based mostly Buffer Overflow |
| CVE-2025-0282 | Ivanti Join Safe, Coverage Safe, and ZTA Gateways Stack-Based mostly Buffer Overflow |
| CVE-2025-55182 | Meta React Server Elements Distant Code Execution |
| CVE-2025-49704 | Microsoft SharePoint Code Injection |
| CVE-2025-49706 | Microsoft SharePoint Improper Authentication |
| CVE-2025-53770 | Microsoft SharePoint Deserialization of Untrusted Knowledge |
| CVE-2025-29824 | Microsoft Home windows Widespread Log File System (CLFS) Driver Use-After-Free |
| CVE-2025-26633 | Microsoft Home windows Administration Console (MMC) Improper Neutralization |
| CVE-2018-8639 | Microsoft Home windows Win32k Improper Useful resource Shutdown or Launch |
| CVE-2024-55550 | Mitel MiCollab Path Traversal |
| CVE-2024-41713 | Mitel MiCollab Path Traversal |
| CVE-2025-61884 | Oracle E-Enterprise Suite Server-Facet Request Forgery (SSRF) |
| CVE-2025-61882 | Oracle E-Enterprise Suite Unspecified |
| CVE-2023-48365 | Qlik Sense HTTP Tunneling |
| CVE-2025-31324 | SAP NetWeaver Unrestricted File Add |
| CVE-2024-57727 | SimpleHelp Path Traversal |
| CVE-2024-53704 | SonicWall SonicOS SSLVPN Improper Authentication |
| CVE-2025-23006 | SonicWall SMA1000 Home equipment Deserialization |
Tasks and Distributors with the Highest Variety of Exploited Vulnerabilities
Microsoft as soon as once more led all distributors and initiatives in CISA KEV additions, with 39 vulnerabilities added to the database in 2025, up from 36 in 2024.
A number of distributors and initiatives had fewer vulnerabilities added in 2025 than they did in 2024, suggesting improved safety controls. Among the many distributors and initiatives that noticed a decline in KEV vulnerabilities in 2025 had been Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware.
11 distributors and initiatives had 5 or extra KEV vulnerabilities added this yr, included under.
| Vendor/challenge | CISA KEV additions in 2025 |
| Microsoft | 39 |
| Apple | 9 |
| Cisco | 8 |
| Fortinet | 8 |
| Google Chromium | 7 |
| Ivanti | 7 |
| Linux Kernel | 7 |
| Citrix | 5 |
| D-Hyperlink | 5 |
| Oracle | 5 |
| SonicWall | 5 |
Most Widespread Software program Weaknesses Exploited in 2025
Eight software program and {hardware} weaknesses (frequent weak spot enumerations, or CWEs) had been notably outstanding among the many 2025 KEV additions. The record is just like final yr, though CWE-787, CWE-79, and CWE-94 are new to the record this yr.
- CWE-78 – Improper Neutralization of Particular Parts utilized in an OS Command (‘OS Command Injection’) – was once more the commonest weak spot amongst vulnerabilities added to the KEV database, accounting for 18 of the 245 vulnerabilities added in 2025.
- CWE-502 – Deserialization of Untrusted Knowledge – once more got here in second, occurring in 14 of the vulnerabilities.
- CWE-22 – Improper Limitation of a Pathname to a Restricted Listing, or ‘Path Traversal’ – moved as much as third place with 13 appearances.
- CWE-416 – Use After Free – slipped a spot to fourth and was behind 11 of the vulnerabilities.
- CWE-787 – Out-of-bounds Write – was a think about 10 of the vulnerabilities.
- CWE-79 – Cross-site Scripting – appeared 7 instances.
Conclusion
CISA’s Identified Exploited Vulnerabilities catalog stays a helpful software for serving to IT safety groups prioritize patching and vulnerability administration efforts.
The CISA KEV catalog also can alert organizations to third-party dangers – though by the point a vulnerability will get added to the database, it’s develop into an pressing drawback requiring fast consideration. Third-party danger administration (TPRM) options might present earlier warnings about companion danger by audits and different instruments.
Lastly, software program and utility improvement groups ought to monitor CISA KEV additions to achieve consciousness of frequent software program weaknesses that risk actors routinely goal.
Take management of your vulnerability danger in the present day — e book a personalised demo to see how CISA KEV impacts your group.
