CISA Known Exploited Vulnerabilities Surged 20% in 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2025, as the database grew to 1,484 software and hardware flaws at high risk of cyberattacks. The agency removed at least one vulnerability from the catalog in 2025 – CVE-2025-6264, a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had insufficient evidence of exploitation – but the database has generally grown steadily since its launch in November 2021. After an initial surge of added vulnerabilities after the database first launched, growth stabilized in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 in 2024. Growth accelerated in 2025, however, as CISA added 245 vulnerabilities to the KEV catalog, an increase of more than 30% above the trend seen in 2023 and 2024. With new vulnerabilities surging in recent weeks, the elevated exploitation trend may well continue into 2026. Overall, CISA KEV vulnerabilities grew from 1,239 vulnerabilities at the end of 2024 to 1,484 at the end of 2025, an increase of just under 20%. We’ll look at some of the trends and vulnerabilities from 2025 – including 24 vulnerabilities known to be exploited by ransomware groups – along with the vendors and projects that had the most CVEs added to the list this year. Older Vulnerabilities Added to CISA KEV Also Grew The addition of older vulnerabilities to the CISA KEV catalog also grew in 2025. In 2023 and 2024, 60 to 70 older vulnerabilities were added to the KEV catalog each year. In 2025, the number of vulnerabilities from 2024 and earlier added to the catalog grew to 94, a 34% increase from a year earlier. The oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the catalog remains one from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks. Vulnerabilities Used in Ransomware Attacks CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups. They include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities exploited by the CL0P ransomware group. The full list of vulnerabilities newly exploited by ransomware groups in 2025 is included below, and should be prioritized by security teams if they’re not yet patched. Vulnerabilities Exploited by Ransomware Groups CVE-2025-5777 Citrix NetScaler ADC and Gateway Out-of-Bounds Read CVE-2025-31161 CrushFTP Authentication Bypass CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass CVE-2024-55591 Fortinet FortiOS and FortiProxy Authentication Bypass CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data CVE-2025-22457 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow CVE-2025-0282 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow CVE-2025-55182 Meta React Server Components Remote Code Execution CVE-2025-49704 Microsoft SharePoint Code Injection CVE-2025-49706 Microsoft SharePoint Improper Authentication CVE-2025-53770 Microsoft SharePoint Deserialization of Untrusted Data CVE-2025-29824 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free CVE-2025-26633 Microsoft Windows Management Console (MMC) Improper Neutralization CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release CVE-2024-55550 Mitel MiCollab Path Traversal CVE-2024-41713 Mitel MiCollab Path Traversal CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) CVE-2025-61882 Oracle E-Business Suite Unspecified CVE-2023-48365 Qlik Sense HTTP Tunneling CVE-2025-31324 SAP NetWeaver Unrestricted File Upload CVE-2024-57727 SimpleHelp Path Traversal CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Projects and Vendors with the Highest Number of Exploited Vulnerabilities Microsoft once again led all vendors and projects in CISA KEV additions, with 39 vulnerabilities added to the database in 2025, up from 36 in 2024. Several vendors and projects had fewer vulnerabilities added in 2025 than they did in 2024, suggesting improved security controls. Among the vendors and projects that saw a decline in KEV vulnerabilities in 2025 were Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware. 11 vendors and projects had five or more KEV vulnerabilities added this year, included below. Vendor/project CISA KEV additions in 2025 Microsoft 39 Apple 9 Cisco 8 Fortinet 8 Google Chromium 7 Ivanti 7 Linux Kernel 7 Citrix 5 D-Link 5 Oracle 5 SonicWall 5 Most Common Software Weaknesses Exploited in 2025 Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2025 KEV additions. The list is similar to last year, although CWE-787, CWE-79, and CWE-94 are new to the list this year. CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was again the most common weakness among vulnerabilities added to the KEV database, accounting for 18 of the 245 vulnerabilities added in 2025. CWE-502 – Deserialization of Untrusted Data – again came in second, occurring in 14 of the vulnerabilities. CWE-22 – Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’ – moved up to third place with 13 appearances. CWE-416 – Use After Free – slipped a spot to fourth and was behind 11 of the vulnerabilities. CWE-787 – Out-of-bounds Write – was a factor in 10 of the vulnerabilities. CWE-79 – Cross-site Scripting – appeared 7 times. CWE-94 (Code Injection) and CWE-287 (Improper Authentication) occurred 6 times each. Conclusion CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and vulnerability management efforts. The CISA KEV catalog can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database, it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools. Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target. Take control of your vulnerability risk today — book a personalized demo to see how CISA KEV impacts your organization. The post CISA Known Exploited Vulnerabilities Surged 20% in 2025 appeared first on Cyble.