The United States Cybersecurity and Infrastructure Security Agency (CISA) has significantly expanded its Known Exploited Vulnerabilities (KEV) Catalog to 1,484 vulnerabilities as of December 2025, marking a critical milestone in the federal government’s efforts to combat actively exploited security flaws.
This comprehensive database, which began with 311 vulnerabilities in November 2021, has grown substantially over the past four years, reflecting the increasingly sophisticated threat landscape facing both public and private sector organizations.
The KEV catalog experienced accelerated growth in 2025, with 245 new vulnerabilities added throughout the year—representing a 20% increase and more than 30% above the trend seen in 2023 and 2024.
This surge underscores the persistent and evolving nature of cyber threats, as malicious actors continue to exploit known vulnerabilities across a wide range of software and hardware platforms.
The catalog serves as a critical resource under CISA’s Binding Operational Directive (BOD) 22-01, which mandates Federal Civilian Executive Branch (FCEB) agencies to remediate listed vulnerabilities within specific timeframes.
Understanding the KEV Catalog Framework
CISA’s KEV catalog represents a paradigm shift in vulnerability management, moving beyond traditional Common Vulnerability Scoring System (CVSS) severity ratings to focus specifically on vulnerabilities with confirmed evidence of active exploitation.
The catalog is updated regularly based on reliable intelligence that threat actors are actively using these vulnerabilities to exploit public or private organizations.
Each vulnerability entry in the KEV catalog includes critical information such as the CVE identifier, vendor and product details, vulnerability name, date added, short description, required remediation actions, and a mandated due date for federal agencies.
Under BOD 22-01, federal agencies must remediate vulnerabilities assigned CVE IDs in 2021 or later within two weeks of addition to the catalog, while older vulnerabilities from before 2021 require remediation within six months.
While these directives are compulsory only for federal agencies, CISA strongly encourages all organizations, including private sector entities, to adopt the KEV catalog as part of their vulnerability management prioritization framework.
Ransomware Exploitation: A Critical Threat Vector
One of the most alarming findings from the 2025 KEV catalog data is the significant role that these vulnerabilities play in ransomware campaigns. Analysis shows that 304 of 1,484 vulnerabilities (20.5%) have been exploited by ransomware groups, posing a substantial threat to organizations worldwide.
In 2025 alone, CISA marked 24 newly added vulnerabilities as known to be exploited by ransomware operators, including high-profile flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and multiple Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group.
The table below highlights the top vulnerabilities actively used in ransomware attacks:
| CVE ID | Vendor | Product | Vulnerability Type |
|---|---|---|---|
| CVE-2025-55182 | Meta | React Server Components | Meta React Server Components Remote Code Execution Vulnerability |
| CVE-2025-61884 | Oracle | E-Business Suite | Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability |
| CVE-2025-61882 | Oracle | E-Business Suite | Oracle E-Business Suite Unspecified Vulnerability |
| CVE-2025-10035 | Fortra | GoAnywhere MFT | Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability |
| CVE-2025-49704 | Microsoft | SharePoint | Microsoft SharePoint Code Injection Vulnerability |
| CVE-2025-49706 | Microsoft | SharePoint | Microsoft SharePoint Improper Authentication Vulnerability |
| CVE-2025-53770 | Microsoft | SharePoint | Microsoft SharePoint Deserialization of Untrusted Data Vulnerability |
| CVE-2025-5777 | Citrix | NetScaler ADC and Gateway | Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability |
| CVE-2019-6693 | Fortinet | FortiOS | Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability |
| CVE-2025-31324 | SAP | NetWeaver | SAP NetWeaver Unrestricted File Upload Vulnerability |
Microsoft leads all vendors with 100 ransomware-related vulnerabilities, followed by Fortinet with 13, Ivanti with 12, and Oracle with 11.
This concentration of ransomware-exploited vulnerabilities among major enterprise vendors highlights the critical importance of timely patch management and security updates for organizations using these widely deployed platforms.
Vendor and Product Distribution Analysis
The KEV catalog data reveals significant disparities in vulnerability distribution across vendors, with Microsoft accounting for 350 vulnerabilities, nearly 24% of the entire catalog.
This dominance reflects Microsoft’s extensive market presence across operating systems, productivity software, and enterprise applications. Apple ranks second with 86 vulnerabilities, followed by Cisco with 82, Adobe with 76, and Google with 67.
The vendor distribution underscores the reality that widely deployed enterprise technologies present attractive targets for threat actors. Microsoft Windows alone accounts for 159 product-specific vulnerabilities, while other frequently targeted products include Chromium V8 (37 vulnerabilities), Internet Explorer (34), Flash Player (33), and various Microsoft Office products.
| Vendor | Total Vulnerabilities |
|---|---|
| Microsoft | 350 |
| Apple | 86 |
| Cisco | 82 |
| Adobe | 76 |
| 67 | |
| Oracle | 42 |
| Apache | 38 |
| Ivanti | 30 |
| VMware | 26 |
| D-Link | 25 |
Interestingly, several vendors demonstrated improved security postures in 2025, with fewer vulnerabilities added compared to 2024. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware all saw declines in KEV additions, suggesting enhanced security controls and more robust development practices.
However, Microsoft’s count increased from 36 vulnerabilities added in 2024 to 39 in 2025, maintaining its position as the vendor requiring the most sustained remediation attention.
Common Weakness Enumeration (CWE) Patterns
Analysis of the vulnerability types represented in the KEV catalog reveals distinct patterns in the categories of flaws most frequently exploited by threat actors. The most prevalent Common Weakness Enumeration (CWE) categories provide insight into the attack vectors favored by malicious actors and the fundamental security challenges facing software development.
CWE-20 (Improper Input Validation) leads all vulnerability types with 113 occurrences, representing approximately 7.6% of all KEV entries. This category encompasses flaws where software fails to properly validate, sanitize, or verify user-supplied input, allowing attackers to inject malicious data or commands. The prevalence of this weakness underscores persistent challenges in secure coding practices and the critical importance of robust input validation mechanisms.
CWE-78 (OS Command Injection) ranks second with 97 instances, accounting for 18 of the 245 vulnerabilities added in 2025 alone. This vulnerability type allows attackers to execute arbitrary operating system commands, often leading to complete system compromise. The continued exploitation of command injection flaws highlights the dangers of incorporating unsanitized user input into system-level operations.
| CWE | Count | Description |
|---|---|---|
| CWE-20 | 113 | Improper Input Validation |
| CWE-78 | 97 | OS Command Injection |
| CWE-787 | 96 | Out-of-bounds Write |
| CWE-416 | 86 | Use After Free |
| CWE-119 | 80 | Improper Restriction of Operations within Memory Bounds |
| CWE-22 | 68 | Path Traversal |
| CWE-502 | 58 | Deserialization of Untrusted Data |
| CWE-94 | 53 | Code Injection |
| CWE-843 | 36 | Access of Resource Using Incompatible Type |
| CWE-287 | 31 | Improper Authentication |
Memory corruption vulnerabilities also feature prominently, with CWE-787 (Out-of-bounds Write) appearing 96 times and CWE-416 (Use After Free) occurring 86 times.
These memory safety issues, predominantly found in software written in C and C++, continue to provide exploitation opportunities despite decades of security research and the availability of memory-safe programming languages.
CWE-502 (Deserialization of Untrusted Data) appears 58 times and was responsible for 14 of the 2025 additions, highlighting the risks associated with processing serialized data from untrusted sources.
KEV Growth
The KEV catalog’s growth trajectory provides valuable insights into the evolving threat landscape and CISA’s expanding intelligence capabilities.
Following the catalog’s November 2021 launch with 311 initial vulnerabilities, 2022 saw explosive growth with 555 additions—an increase of nearly 78%. This surge likely reflected both the backlog of known exploited vulnerabilities requiring documentation and CISA’s ramping intelligence collection efforts.
Growth subsequently stabilized in 2023 and 2024, with 187 and 186 vulnerabilities added, respectively, representing approximately 17-21% annual growth rates.
However, 2025 saw renewed acceleration, with 245 additions, marking a 20% expansion and signaling either increased vulnerability exploitation activity or enhanced detection and reporting mechanisms.
| Year | Vulnerabilities Added | Cumulative Total |
|---|---|---|
| 2021 | 311 | 311 |
| 2022 | 555 | 866 |
| 2023 | 187 | 1,053 |
| 2024 | 186 | 1,239 |
| 2025 | 245 | 1,484 |
A notable trend in 2025 was the increased addition of older vulnerabilities to the catalog. CISA added 94 vulnerabilities from 2024 and earlier—a 45% increase from the 2023-2024 average of 65 older vulnerabilities per year.
The oldest vulnerability added in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability, while the oldest entry in the entire catalog remains CVE-2002-0367, a privilege escalation flaw in Windows NT and Windows 2000 that continues to be exploited by ransomware groups.
High-Impact Additions and Threat Intelligence
Throughout 2025, CISA added numerous critical vulnerabilities with significant exploitation potential. Recent additions spanning October through December highlight the breadth of affected technologies and the diverse attack vectors employed by threat actors.
In October 2025, CISA confirmed active exploitation of five significant vulnerabilities, including CVE-2025-61884, a Server-Side Request Forgery (SSRF) vulnerability in Oracle E-Business Suite that allows attackers unauthorized access to critical data.
This flaw, with a CVSS score of 7.5, has been particularly concerning as it targets a widely deployed enterprise resource planning system used by numerous Fortune 500 companies.
Also added were CVE-2025-33073, an improper access control vulnerability in Microsoft Windows SMB Client enabling privilege escalation, and CVE-2025-2746 and CVE-2025-2747, authentication bypass issues in Kentico CMS that permit complete administrative takeover.
September 2025 saw the addition of five diverse vulnerabilities spanning database management tools, enterprise file transfer systems, network operating systems, and core Unix utilities.
CVE-2025-10035, affecting Fortra GoAnywhere MFT, represents a deserialization vulnerability in the License Servlet component that ransomware operators have actively exploited.
CVE-2025-20352, a stack-based buffer overflow in Cisco IOS/IOS XE SNMP functionality, and CVE-2025-32463, a sudo inclusion vulnerability enabling local privilege escalation, demonstrate the continued targeting of fundamental network and operating system components.
December 2025 additions included CVE-2025-55182, a remote code execution vulnerability in Meta’s React Server Components that has been confirmed for use in ransomware campaigns. The rapid exploitation of this relatively new framework component illustrates threat actors’ agility in weaponizing newly disclosed vulnerabilities.
Threat intelligence from darknet forums has provided early warning signals for several KEV additions. Security researchers monitoring underground cybercrime marketplaces observed discussions of Oracle and SMB payloads labeled as “ClickFix modules” weeks before official CISA advisories, confirming that cybercriminals actively test exploits against unpatched targets before public disclosure. This darknet intelligence represents an invaluable early warning system for security teams working to stay ahead of emerging threats.
The implications of the expanding KEV catalog extend far beyond federal agencies, though the requirements of BOD 22-01 create specific obligations for government entities.
Federal agencies must adhere to strict remediation timelines: critical vulnerabilities must be addressed within 15 calendar days of initial detection, while high-severity vulnerabilities require remediation within 30 days. For KEV-listed vulnerabilities specifically, agencies must remediate flaws with CVE IDs from 2021 onward within two weeks, while pre-2021 vulnerabilities require remediation within six months.
CISA’s Known Exploited Vulnerabilities Catalog, now encompassing 1,484 actively exploited flaws, represents a critical resource for organizations seeking to prioritize vulnerability remediation based on real-world threat intelligence rather than theoretical risk assessments.
The 245 vulnerabilities added in 2025 mark a 20% increase and reflect the dynamic nature of cyber threats, with ransomware operators, APT groups, and opportunistic attackers continuing to weaponize known vulnerabilities across diverse technology platforms.
The concentration of ransomware-exploited vulnerabilities among major enterprise vendors, particularly Microsoft’s 100 confirmed ransomware-related flaws, underscores the critical importance of timely patch management for widely deployed enterprise systems.
The prevalence of fundamental vulnerability classes, such as improper input validation, command injection, and memory corruption issues, highlights persistent secure coding challenges that the software industry must address through improved development practices and increased adoption of memory-safe languages.
For federal agencies, compliance with BOD 22-01 requirements remains mandatory, with strict remediation timelines and reporting obligations.
However, the value of the KEV catalog extends far beyond federal compliance, offering all organizations actionable intelligence on the vulnerabilities most likely to be exploited in real-world attacks.
By prioritizing KEV remediation, implementing robust patch management processes, maintaining comprehensive asset inventories, and leveraging threat intelligence for early warning, organizations can significantly reduce their attack surface and resilience against the most pressing cyber threats of 2025 and beyond.
