The US Cybersecurity and Infrastructure Safety Company (CISA) has considerably expanded its Recognized Exploited Vulnerabilities (KEV) Catalog to 1,484 vulnerabilities as of December 2025, marking a vital milestone within the federal authorities’s efforts to fight actively exploited safety flaws.
This complete database, which started with 311 vulnerabilities in November 2021, has grown considerably over the previous 4 years, reflecting the more and more subtle risk panorama dealing with each private and non-private sector organizations.
The KEV catalog skilled accelerated development in 2025, with 245 new vulnerabilities added all year long—representing a 20% enhance and greater than 30% above the pattern seen in 2023 and 2024.
This surge underscores the persistent and evolving nature of cyber threats, as malicious actors proceed to use identified vulnerabilities throughout a variety of software program and {hardware} platforms.
The catalog serves as a vital useful resource underneath CISA’s Binding Operational Directive (BOD) 22-01, which mandates Federal Civilian Government Department (FCEB) companies to remediate listed vulnerabilities inside particular timeframes.
Understanding the KEV Catalog Framework
CISA’s KEV catalog represents a paradigm shift in vulnerability administration, transferring past conventional Frequent Vulnerability Scoring System (CVSS) severity scores to focus particularly on vulnerabilities with confirmed proof of energetic exploitation.
The catalog is up to date commonly based mostly on dependable intelligence that risk actors are actively utilizing these vulnerabilities to use public or personal organizations.
Every vulnerability entry within the KEV catalog consists of vital data such because the CVE identifier, vendor and product particulars, vulnerability identify, date added, brief description, required remediation actions, and a mandated due date for federal companies.
Underneath BOD 22-01, federal companies should remediate vulnerabilities assigned CVE IDs in 2021 or later inside two weeks of addition to the catalog, whereas older vulnerabilities from earlier than 2021 require remediation inside six months.
Whereas these directives are obligatory just for federal companies, CISA strongly encourages all organizations, together with personal sector entities, to undertake the KEV catalog as a part of their vulnerability administration prioritization framework.
Ransomware Exploitation: A Crucial Risk Vector
Probably the most alarming findings from the 2025 KEV catalog knowledge is the numerous position that these vulnerabilities play in ransomware campaigns. Evaluation reveals that 304 of 1,484 vulnerabilities (20.5%) have been exploited by ransomware teams, posing a considerable risk to organizations worldwide.
In 2025 alone, CISA marked 24 newly added vulnerabilities as identified to be exploited by ransomware operators, together with high-profile flaws resembling CVE-2025-5777 (dubbed “CitrixBleed 2”) and a number of Oracle E-Enterprise Suite vulnerabilities focused by the CL0P ransomware group.
The desk beneath highlights the highest vulnerabilities actively utilized in ransomware assaults:
CVE IDVendorProductVulnerability TypeCVE-2025-55182MetaReact Server ComponentsMeta React Server Elements Distant Code Execution VulnerabilityCVE-2025-61884OracleE-Enterprise SuiteOracle E-Enterprise Suite Server-Facet Request Forgery (SSRF) VulnerabilityCVE-2025-61882OracleE-Enterprise SuiteOracle E-Enterprise Suite Unspecified VulnerabilityCVE-2025-10035FortraGoAnywhere MFTFortra GoAnywhere MFT Deserialization of Untrusted Information VulnerabilityCVE-2025-49704MicrosoftSharePointMicrosoft SharePoint Code Injection VulnerabilityCVE-2025-49706MicrosoftSharePointMicrosoft SharePoint Improper Authentication VulnerabilityCVE-2025-53770MicrosoftSharePointMicrosoft SharePoint Deserialization of Untrusted Information VulnerabilityCVE-2025-5777CitrixNetScaler ADC and GatewayCitrix NetScaler ADC and Gateway Out-of-Bounds Learn VulnerabilityCVE-2019-6693FortinetFortiOSFortinet FortiOS Use of Laborious-Coded Credentials VulnerabilityCVE-2025-31324SAPNetWeaverSAP NetWeaver Unrestricted File Add Vulnerability
Microsoft leads all distributors with 100 ransomware-related vulnerabilities, adopted by Fortinet with 13, Ivanti with 12, and Oracle with 11.
This focus of ransomware-exploited vulnerabilities amongst main enterprise distributors highlights the vital significance of well timed patch administration and safety updates for organizations utilizing these extensively deployed platforms.
Vendor and Product Distribution Evaluation
The KEV catalog knowledge reveals important disparities in vulnerability distribution throughout distributors, with Microsoft accounting for 350 vulnerabilities, practically 24% of all the catalog.
This dominance displays Microsoft’s in depth market presence throughout working techniques, productiveness software program, and enterprise purposes. Apple ranks second with 86 vulnerabilities, adopted by Cisco with 82, Adobe with 76, and Google with 67.
The seller distribution underscores the fact that extensively deployed enterprise applied sciences current enticing targets for risk actors. Microsoft Home windows alone accounts for 159 product-specific vulnerabilities, whereas different often focused merchandise embrace Chromium V8 (37 vulnerabilities), Web Explorer (34), Flash Participant (33), and varied Microsoft Workplace merchandise.
VendorTotal VulnerabilitiesMicrosoft350Apple86Cisco82Adobe76Google67Oracle42Apache38Ivanti30VMware26D-Link25
Curiously, a number of distributors demonstrated improved safety postures in 2025, with fewer vulnerabilities added in comparison with 2024. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware all noticed declines in KEV additions, suggesting enhanced safety controls and extra sturdy growth practices.
Nonetheless, Microsoft’s depend elevated from 36 vulnerabilities added in 2024 to 39 in 2025, sustaining its place as the seller requiring probably the most sustained remediation consideration.
Frequent Weak spot Enumeration (CWE) Patterns
Evaluation of the vulnerability varieties represented within the KEV catalog reveals distinct patterns within the classes of flaws most often exploited by risk actors. Probably the most prevalent Frequent Weak spot Enumeration (CWE) classes present perception into the assault vectors favored by malicious actors and the elemental safety challenges dealing with software program growth.
CWE-20 (Improper Enter Validation) leads all vulnerability varieties with 113 occurrences, representing roughly 7.6% of all KEV entries. This class encompasses flaws the place software program fails to correctly validate, sanitize, or confirm user-supplied enter, permitting attackers to inject malicious knowledge or instructions. The prevalence of this weak spot underscores persistent challenges in safe coding practices and the vital significance of strong enter validation mechanisms.
CWE-78 (OS Command Injection) ranks second with 97 situations, accounting for 18 of the 245 vulnerabilities added in 2025 alone. This vulnerability sort permits attackers to execute arbitrary working system instructions, usually main to finish system compromise. The continued exploitation of command injection flaws highlights the hazards of incorporating unsanitized person enter into system-level operations.
CWECountDescriptionCWE-20113Improper Enter ValidationCWE-7897OS Command InjectionCWE-78796Out-of-bounds WriteCWE-41686Use After FreeCWE-11980Improper Restriction of Operations inside Reminiscence BoundsCWE-2268Path TraversalCWE-50258Deserialization of Untrusted DataCWE-9453Code InjectionCWE-84336Access of Useful resource Utilizing Incompatible TypeCWE-28731Improper Authentication
Reminiscence corruption vulnerabilities additionally function prominently, with CWE-787 (Out-of-bounds Write) showing 96 instances and CWE-416 (Use After Free) occurring 86 instances.
These reminiscence issues of safety, predominantly present in software program written in C and C++, proceed to offer exploitation alternatives regardless of many years of safety analysis and the supply of memory-safe programming languages.
CWE-502 (Deserialization of Untrusted Information) seems 58 instances and was liable for 14 of the 2025 additions, highlighting the dangers related to processing serialized knowledge from untrusted sources.
KEV Progress
The KEV catalog’s development trajectory supplies invaluable insights into the evolving risk panorama and CISA’s increasing intelligence capabilities.
Following the catalog’s November 2021 launch with 311 preliminary vulnerabilities, 2022 noticed explosive development with 555 additions—a rise of practically 78%. This surge seemingly mirrored each the backlog of identified exploited vulnerabilities requiring documentation and CISA’s ramping intelligence assortment efforts.
Progress subsequently stabilized in 2023 and 2024, with 187 and 186 vulnerabilities added, respectively, representing roughly 17-21% annual development charges.
Nonetheless, 2025 noticed renewed acceleration, with 245 additions, marking a 20% growth and signaling both elevated vulnerability exploitation exercise or enhanced detection and reporting mechanisms.
YearVulnerabilities AddedCumulative Total2021311311202255586620231871,05320241861,23920252451,484
A notable pattern in 2025 was the elevated addition of older vulnerabilities to the catalog. CISA added 94 vulnerabilities from 2024 and earlier—a forty five% enhance from the 2023-2024 common of 65 older vulnerabilities per yr.
The oldest vulnerability added in 2025 was CVE-2007-0671, a Microsoft Workplace Excel Distant Code Execution vulnerability, whereas the oldest entry in all the catalog stays CVE-2002-0367, a privilege escalation flaw in Home windows NT and Home windows 2000 that continues to be exploited by ransomware teams.
Excessive-Influence Additions and Risk Intelligence
All through 2025, CISA added quite a few vital vulnerabilities with important exploitation potential. Current additions spanning October by way of December spotlight the breadth of affected applied sciences and the varied assault vectors employed by risk actors.
In October 2025, CISA confirmed energetic exploitation of 5 important vulnerabilities, together with CVE-2025-61884, a Server-Facet Request Forgery (SSRF) vulnerability in Oracle E-Enterprise Suite that permits attackers unauthorized entry to vital knowledge.
This flaw, with a CVSS rating of seven.5, has been significantly regarding because it targets a extensively deployed enterprise useful resource planning system utilized by quite a few Fortune 500 corporations.
Additionally added have been CVE-2025-33073, an improper entry management vulnerability in Microsoft Home windows SMB Shopper enabling privilege escalation, and CVE-2025-2746 and CVE-2025-2747, authentication bypass points in Kentico CMS that allow full administrative takeover.
September 2025 noticed the addition of 5 numerous vulnerabilities spanning database administration instruments, enterprise file switch techniques, community working techniques, and core Unix utilities.
CVE-2025-10035, affecting Fortra GoAnywhere MFT, represents a deserialization vulnerability within the License Servlet element that ransomware operators have actively exploited.
CVE-2025-20352, a stack-based buffer overflow in Cisco IOS/IOS XE SNMP performance, and CVE-2025-32463, a sudo inclusion vulnerability enabling native privilege escalation, display the continued concentrating on of elementary community and working system parts.
December 2025 additions included CVE-2025-55182, a distant code execution vulnerability in Meta’s React Server Elements that has been confirmed to be used in ransomware campaigns. The fast exploitation of this comparatively new framework element illustrates risk actors’ agility in weaponizing newly disclosed vulnerabilities.
Risk intelligence from darknet boards has offered early warning alerts for a number of KEV additions. Safety researchers monitoring underground cybercrime marketplaces noticed discussions of Oracle and SMB payloads labeled as “ClickFix modules” weeks earlier than official CISA advisories, confirming that cybercriminals actively check exploits towards unpatched targets earlier than public disclosure. This darknet intelligence represents a useful early warning system for safety groups working to remain forward of rising threats.
The implications of the increasing KEV catalog lengthen far past federal companies, although the necessities of BOD 22-01 create particular obligations for presidency entities.
Federal companies should adhere to strict remediation timelines: vital vulnerabilities should be addressed inside 15 calendar days of preliminary detection, whereas high-severity vulnerabilities require remediation inside 30 days. For KEV-listed vulnerabilities particularly, companies should remediate flaws with CVE IDs from 2021 onward inside two weeks, whereas pre-2021 vulnerabilities require remediation inside six months.
CISA’s Recognized Exploited Vulnerabilities Catalog, now encompassing 1,484 actively exploited flaws, represents a vital useful resource for organizations looking for to prioritize vulnerability remediation based mostly on real-world risk intelligence moderately than theoretical threat assessments.
The 245 vulnerabilities added in 2025 mark a 20% enhance and replicate the dynamic nature of cyber threats, with ransomware operators, APT teams, and opportunistic attackers persevering with to weaponize identified vulnerabilities throughout numerous expertise platforms.
The focus of ransomware-exploited vulnerabilities amongst main enterprise distributors, significantly Microsoft’s 100 confirmed ransomware-related flaws, underscores the vital significance of well timed patch administration for extensively deployed enterprise techniques.
The prevalence of elementary vulnerability lessons, resembling improper enter validation, command injection, and reminiscence corruption points, highlights persistent safe coding challenges that the software program business should handle by way of improved growth practices and elevated adoption of memory-safe languages.
For federal companies, compliance with BOD 22-01 necessities stays necessary, with strict remediation timelines and reporting obligations.
Nonetheless, the worth of the KEV catalog extends far past federal compliance, providing all organizations actionable intelligence on the vulnerabilities almost certainly to be exploited in real-world assaults.
By prioritizing KEV remediation, implementing sturdy patch administration processes, sustaining complete asset inventories, and leveraging risk intelligence for early warning, organizations can considerably scale back their assault floor and resilience towards probably the most urgent cyber threats of 2025 and past.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
