The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2025, as the database grew to 1,484 software and hardware flaws at high risk of cyberattacks.
The agency removed at least one vulnerability from the catalog in 2025 – CVE-2025-6264, a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had insufficient evidence of exploitation – but the database has generally grown steadily since its launch in November 2021.
After an initial surge of added vulnerabilities after the database first launched, growth stabilized in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 in 2024.
Growth accelerated in 2025, however, as CISA added 245 vulnerabilities to the KEV catalog, an increase of more than 30% above the trend seen in 2023 and 2024. With new vulnerabilities surging in recent weeks, the elevated exploitation trend may well continue into 2026.
Overall, CISA KEV vulnerabilities grew from 1,239 vulnerabilities at the end of 2024 to 1,484 at the end of 2025, an increase of just under 20%.
We’ll look at some of the trends and vulnerabilities from 2025 – including 24 vulnerabilities known to be exploited by ransomware groups – along with the vendors and projects that had the most CVEs added to the list this year.
Older Vulnerabilities Added to CISA KEV Also Grew
The addition of older vulnerabilities to the CISA KEV catalog also grew in 2025. In 2023 and 2024, 60 to 70 older vulnerabilities were added to the KEV catalog each year. In 2025, the number of vulnerabilities from 2024 and earlier added to the catalog grew to 94, a 34% increase from a year earlier.
The oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability.
The oldest vulnerability in the catalog remains one from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks.
Vulnerabilities Used in Ransomware Attacks
CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups. They include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities exploited by the CL0P ransomware group.
The full list of vulnerabilities newly exploited by ransomware groups in 2025 is included below, and should be prioritized by security teams if they’re not yet patched.
| Vulnerabilities Exploited by Ransomware Groups | |
| CVE-2025-5777 | Citrix NetScaler ADC and Gateway Out-of-Bounds Read |
| CVE-2025-31161 | CrushFTP Authentication Bypass |
| CVE-2019-6693 | Fortinet FortiOS Use of Hard-Coded Credentials |
| CVE-2025-24472 | Fortinet FortiOS and FortiProxy Authentication Bypass |
| CVE-2024-55591 | Fortinet FortiOS and FortiProxy Authentication Bypass |
| CVE-2025-10035 | Fortra GoAnywhere MFT Deserialization of Untrusted Data |
| CVE-2025-22457 | Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow |
| CVE-2025-0282 | Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow |
| CVE-2025-55182 | Meta React Server Components Remote Code Execution |
| CVE-2025-49704 | Microsoft SharePoint Code Injection |
| CVE-2025-49706 | Microsoft SharePoint Improper Authentication |
| CVE-2025-53770 | Microsoft SharePoint Deserialization of Untrusted Data |
| CVE-2025-29824 | Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free |
| CVE-2025-26633 | Microsoft Windows Management Console (MMC) Improper Neutralization |
| CVE-2018-8639 | Microsoft Windows Win32k Improper Resource Shutdown or Release |
| CVE-2024-55550 | Mitel MiCollab Path Traversal |
| CVE-2024-41713 | Mitel MiCollab Path Traversal |
| CVE-2025-61884 | Oracle E-Business Suite Server-Side Request Forgery (SSRF) |
| CVE-2025-61882 | Oracle E-Business Suite Unspecified |
| CVE-2023-48365 | Qlik Sense HTTP Tunneling |
| CVE-2025-31324 | SAP NetWeaver Unrestricted File Upload |
| CVE-2024-57727 | SimpleHelp Path Traversal |
| CVE-2024-53704 | SonicWall SonicOS SSLVPN Improper Authentication |
| CVE-2025-23006 | SonicWall SMA1000 Appliances Deserialization |
Projects and Vendors with the Highest Number of Exploited Vulnerabilities
Microsoft once again led all vendors and projects in CISA KEV additions, with 39 vulnerabilities added to the database in 2025, up from 36 in 2024.
Several vendors and projects had fewer vulnerabilities added in 2025 than they did in 2024, suggesting improved security controls. Among the vendors and projects that saw a decline in KEV vulnerabilities in 2025 were Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware.
11 vendors and projects had five or more KEV vulnerabilities added this year, included below.
| Vendor/project | CISA KEV additions in 2025 |
| Microsoft | 39 |
| Apple | 9 |
| Cisco | 8 |
| Fortinet | 8 |
| Google Chromium | 7 |
| Ivanti | 7 |
| Linux Kernel | 7 |
| Citrix | 5 |
| D-Link | 5 |
| Oracle | 5 |
| SonicWall | 5 |
Most Common Software Weaknesses Exploited in 2025
Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2025 KEV additions. The list is similar to last year, although CWE-787, CWE-79, and CWE-94 are new to the list this year.
- CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was again the most common weakness among vulnerabilities added to the KEV database, accounting for 18 of the 245 vulnerabilities added in 2025.
- CWE-502 – Deserialization of Untrusted Data – again came in second, occurring in 14 of the vulnerabilities.
- CWE-22 – Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’ – moved up to third place with 13 appearances.
- CWE-416 – Use After Free – slipped a spot to fourth and was behind 11 of the vulnerabilities.
- CWE-787 – Out-of-bounds Write – was a factor in 10 of the vulnerabilities.
- CWE-79 – Cross-site Scripting – appeared 7 times.
Conclusion
CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and vulnerability management efforts.
The CISA KEV catalog can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database, it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools.
Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target.
Take control of your vulnerability risk today — book a personalized demo to see how CISA KEV impacts your organization.
