The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2025, as the database grew to 1,484 software and hardware flaws at high risk of cyberattacks. 

The agency removed at least one vulnerability from the catalog in 2025 – CVE-2025-6264, a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had insufficient evidence of exploitation – but the database has generally grown steadily since its launch in November 2021. 

After an initial surge of added vulnerabilities after the database first launched, growth stabilized in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 in 2024. 

Growth accelerated in 2025, however, as CISA added 245 vulnerabilities to the KEV catalog, an increase of more than 30% above the trend seen in 2023 and 2024. With new vulnerabilities surging in recent weeks, the elevated exploitation trend may well continue into 2026. 

Overall, CISA KEV vulnerabilities grew from 1,239 vulnerabilities at the end of 2024 to 1,484 at the end of 2025, an increase of just under 20%. 

We’ll look at some of the trends and vulnerabilities from 2025 – including 24 vulnerabilities known to be exploited by ransomware groups – along with the vendors and projects that had the most CVEs added to the list this year. 

Older Vulnerabilities Added to CISA KEV Also Grew 

The addition of older vulnerabilities to the CISA KEV catalog also grew in 2025. In 2023 and 2024, 60 to 70 older vulnerabilities were added to the KEV catalog each year. In 2025, the number of vulnerabilities from 2024 and earlier added to the catalog grew to 94, a 34% increase from a year earlier. 

The oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. 

The oldest vulnerability in the catalog remains one from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks.  

Vulnerabilities Used in Ransomware Attacks 

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups. They include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities exploited by the CL0P ransomware group. 

The full list of vulnerabilities newly exploited by ransomware groups in 2025 is included below, and should be prioritized by security teams if they’re not yet patched. 

Vulnerabilities Exploited by Ransomware Groups
CVE-2025-5777	Citrix NetScaler ADC and Gateway Out-of-Bounds Read
CVE-2025-31161	CrushFTP Authentication Bypass
CVE-2019-6693	Fortinet FortiOS Use of Hard-Coded Credentials
CVE-2025-24472	Fortinet FortiOS and FortiProxy Authentication Bypass
CVE-2024-55591	Fortinet FortiOS and FortiProxy Authentication Bypass
CVE-2025-10035	Fortra GoAnywhere MFT Deserialization of Untrusted Data
CVE-2025-22457	Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow
CVE-2025-0282	Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow
CVE-2025-55182	Meta React Server Components Remote Code Execution
CVE-2025-49704	Microsoft SharePoint Code Injection
CVE-2025-49706	Microsoft SharePoint Improper Authentication
CVE-2025-53770	Microsoft SharePoint Deserialization of Untrusted Data
CVE-2025-29824	Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free
CVE-2025-26633	Microsoft Windows Management Console (MMC) Improper Neutralization
CVE-2018-8639	Microsoft Windows Win32k Improper Resource Shutdown or Release
CVE-2024-55550	Mitel MiCollab Path Traversal
CVE-2024-41713	Mitel MiCollab Path Traversal
CVE-2025-61884	Oracle E-Business Suite Server-Side Request Forgery (SSRF)
CVE-2025-61882	Oracle E-Business Suite Unspecified
CVE-2023-48365	Qlik Sense HTTP Tunneling
CVE-2025-31324	SAP NetWeaver Unrestricted File Upload
CVE-2024-57727	SimpleHelp Path Traversal
CVE-2024-53704	SonicWall SonicOS SSLVPN Improper Authentication
CVE-2025-23006	SonicWall SMA1000 Appliances Deserialization

Projects and Vendors with the Highest Number of Exploited Vulnerabilities 

Microsoft once again led all vendors and projects in CISA KEV additions, with 39 vulnerabilities added to the database in 2025, up from 36 in 2024. 

Several vendors and projects had fewer vulnerabilities added in 2025 than they did in 2024, suggesting improved security controls. Among the vendors and projects that saw a decline in KEV vulnerabilities in 2025 were Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware. 

11 vendors and projects had five or more KEV vulnerabilities added this year, included below. 

Vendor/project	CISA KEV additions in 2025
Microsoft	39
Apple	9
Cisco	8
Fortinet	8
Google Chromium	7
Ivanti	7
Linux Kernel	7
Citrix	5
D-Link	5
Oracle	5
SonicWall	5

Most Common Software Weaknesses Exploited in 2025 

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2025 KEV additions. The list is similar to last year, although CWE-787, CWE-79, and CWE-94 are new to the list this year. 

• CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was again the most common weakness among vulnerabilities added to the KEV database, accounting for 18 of the 245 vulnerabilities added in 2025. 

• CWE-502 – Deserialization of Untrusted Data – again came in second, occurring in 14 of the vulnerabilities. 

• CWE-22 – Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’ – moved up to third place with 13 appearances. 

• CWE-416 – Use After Free – slipped a spot to fourth and was behind 11 of the vulnerabilities. 

• CWE-787 – Out-of-bounds Write – was a factor in 10 of the vulnerabilities. 

• CWE-79 – Cross-site Scripting – appeared 7 times. 

• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) occurred 6 times each. 

Conclusion 

CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and vulnerability management efforts. 

The CISA KEV catalog can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database, it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools. 

Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target. 

Take control of your vulnerability risk today — book a personalized demo to see how CISA KEV impacts your organization. 

The post CISA Known Exploited Vulnerabilities Surged 20% in 2025  appeared first on Cyble.

Cyble – ​Read More