CISA KEV Catalog Surges 20% to 1,484 in 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) concluded 2025 with its Known Exploited Vulnerabilities (KEV) Catalog reaching 1,484 entries, reflecting a nearly 20% increase from the 1,239 vulnerabilities listed at the end of 2024. Throughout the year, CISA added a record 245 vulnerabilities—over 30% more than the 185–187 additions seen in 2023 and 2024—driven by heightened evidence of active exploitation across software and hardware ecosystems. This surge, including 24 flaws weaponized in ransomware campaigns, signals an intensifying threat landscape where attackers rapidly capitalize on both new and legacy weaknesses.

Inside the 2025 Surge: 245 New Exploited Vulnerabilities Added to CISA’s KEV Catalog

The KEV Catalog serves as CISA’s authoritative resource for vulnerabilities with confirmed in-the-wild exploitation, prioritizing real-world risks over theoretical CVSS scores. Launched in November 2021, it has grown steadily, but 2025 marked an acceleration with 245 new entries, including a nearly 45% rise in pre-2025 flaws (94 total). The oldest new addition was CVE-2007-0671, a Microsoft Office Excel remote code execution bug, while the catalog’s most ancient entry remains CVE-2002-0367—a Windows privilege escalation flaw still abused today.

Microsoft dominated affected vendors with 39 additions (up from 36 in 2024), followed by Apple, Cisco, Google Chromium, Ivanti, and Linux kernels. Dominant weakness types included OS command injection (CWE-78, prominent in 18 entries), deserialization of untrusted data (CWE-502), path traversal, use-after-free, and out-of-bounds write.

Key Trends in 2025 KEV Additions

  • Ransomware Exploitation: 24 vulnerabilities linked to campaigns, including “CitrixBleed 2” (CVE-2025-5777) for information disclosure in Citrix NetScaler and Oracle E-Business Suite flaws (CVE-2025-61882, CVE-2025-61884) exploited by Cl0p for data exfiltration.
  • Vendor Breakdown: Microsoft (39), with rising focus on enterprise products like Windows and Office; other notables included Fortinet, Ivanti, SAP, Mitel, and SonicWall.
  • Legacy Risks: Increased targeting of older bugs, emphasizing that unpatched systems remain prime targets years after disclosure.
  • Exploitation Speed: Many 2025 CVEs added shortly after disclosure, reflecting faster weaponization by threat actors.

Impact and Recommendations

  • Heightened Ransomware Exposure: With 24 KEV entries tied to extortion operations, organizations face elevated risks of data breaches and operational disruptions.
  • Enterprise Vendor Concentration: Heavy Microsoft and multi-vendor hits demand prioritized patching in Windows ecosystems and network appliances.
  • Legacy System Vulnerabilities: Rising older flaw exploitation highlights the dangers of end-of-life software in critical environments.
  • Global Threat Acceleration: Faster additions signal broader attacker sophistication, from ransomware affiliates to nation-states.

Recommendations for Organizations

  • Integrate KEV Prioritization: Feed the catalog into vulnerability management programs for risk-based patching ahead of standard schedules.
  • Accelerate Remediation: Apply patches for KEV entries within days/weeks, aligning with BOD 22-01 timelines even for non-federal entities.
  • Hunt for Legacy Exposures: Scan environments for pre-2025 vulnerabilities, especially in internet-facing systems.
  • Enhance Detection: Deploy EDR/XDR tools to monitor for exploitation indicators of high-profile KEV flaws like CitrixBleed variants
  • Build Resilience: Maintain offline backups, segment networks, and conduct ransomware simulations.
  • Collaborate on Intelligence: Share IOCs via ISACs or partners to stay ahead of emerging exploit chains.

As exploitation trends accelerate into 2026, treating the KEV Catalog as a core defense benchmark is no longer optional—it’s essential for staying ahead of real-world adversaries.

“For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.” Cybersecurity and Infrastructure Security Agency (CISA

Source and full details

Read the full CISA Known Exploited Vulnerabilities Catalog here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Official CISA Catalog ↗
CISA STATUS 1505 ACTIVE EXPLOITS
● VIEW RECENT THREATS
Latest (10) KEVs
CVE-2021-39935 Added: Feb 03, 2026
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
CVE-2025-64328 Added: Feb 03, 2026
Sangoma FreePBX OS Command Injection Vulnerability
CVE-2019-19006 Added: Feb 03, 2026
Sangoma FreePBX Improper Authentication Vulnerability
CVE-2025-40551 Added: Feb 03, 2026
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
CVE-2026-1281 Added: Jan 29, 2026
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
CVE-2026-24858 Added: Jan 27, 2026
Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVE-2018-14634 Added: Jan 26, 2026
Linux Kernel Integer Overflow Vulnerability
CVE-2025-52691 Added: Jan 26, 2026
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
CVE-2026-23760 Added: Jan 26, 2026
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVE-2026-24061 Added: Jan 26, 2026
GNU InetUtils Argument Injection Vulnerability
Sync: Feb 04, 14:38 UTC LIVE
EPSS GLOBAL THREATS ↗
THREAT #1 CVE-2024-27198 94.58% SCORE
● VIEW DETAILED TOP 10
Global Intelligence
RANK #1 CVE-2024-27198 Score: 94.58% JetBrains TeamCity Authentication Bypass Vulnerability
RANK #2 CVE-2023-23752 Score: 94.52% Joomla! Improper Access Control Vulnerability
RANK #3 CVE-2017-1000353 Score: 94.51% Jenkins Remote Code Execution Vulnerability
RANK #4 CVE-2017-8917 Score: 94.50%
Known Security Vulnerability
RANK #5 CVE-2016-10033 Score: 94.49% PHPMailer Command Injection Vulnerability
RANK #6 CVE-2018-7600 Score: 94.49% Drupal Core Remote Code Execution Vulnerability
RANK #7 CVE-2021-22986 Score: 94.49% F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability
RANK #8 CVE-2023-35078 Score: 94.48% Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability
RANK #9 CVE-2019-11510 Score: 94.48% Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
RANK #10 CVE-2018-13379 Score: 94.48% Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Sync: Feb 04, 08:56 UTC LIVE
SANS ISC INFO-CON ↗
GLOBAL THREAT GREEN Condition Level
VIEW THREAT REPORT
Threat Intelligence
Source: SANS ISC Report ↗ The InfoCon is a status system used by the SANS Internet Storm Center to track global internet threat levels.
Sync: Feb 04, 14:38 UTC ACTIVE

CISA KEV Catalog Surges 20% to 1,484 in 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) concluded 2025 with its Known Exploited Vulnerabilities (KEV) Catalog reaching 1,484 entries, reflecting a nearly 20% increase from the 1,239 vulnerabilities listed at the end of 2024. Throughout the year, CISA added a record 245 vulnerabilities—over 30% more than the 185–187 additions seen in 2023 and 2024—driven by heightened evidence of active exploitation across software and hardware ecosystems. This surge, including 24 flaws weaponized in ransomware campaigns, signals an intensifying threat landscape where attackers rapidly capitalize on both new and legacy weaknesses.

Inside the 2025 Surge: 245 New Exploited Vulnerabilities Added to CISA’s KEV Catalog

The KEV Catalog serves as CISA’s authoritative resource for vulnerabilities with confirmed in-the-wild exploitation, prioritizing real-world risks over theoretical CVSS scores. Launched in November 2021, it has grown steadily, but 2025 marked an acceleration with 245 new entries, including a nearly 45% rise in pre-2025 flaws (94 total). The oldest new addition was CVE-2007-0671, a Microsoft Office Excel remote code execution bug, while the catalog’s most ancient entry remains CVE-2002-0367—a Windows privilege escalation flaw still abused today.

Microsoft dominated affected vendors with 39 additions (up from 36 in 2024), followed by Apple, Cisco, Google Chromium, Ivanti, and Linux kernels. Dominant weakness types included OS command injection (CWE-78, prominent in 18 entries), deserialization of untrusted data (CWE-502), path traversal, use-after-free, and out-of-bounds write.

Key Trends in 2025 KEV Additions

  • Ransomware Exploitation: 24 vulnerabilities linked to campaigns, including “CitrixBleed 2” (CVE-2025-5777) for information disclosure in Citrix NetScaler and Oracle E-Business Suite flaws (CVE-2025-61882, CVE-2025-61884) exploited by Cl0p for data exfiltration.
  • Vendor Breakdown: Microsoft (39), with rising focus on enterprise products like Windows and Office; other notables included Fortinet, Ivanti, SAP, Mitel, and SonicWall.
  • Legacy Risks: Increased targeting of older bugs, emphasizing that unpatched systems remain prime targets years after disclosure.
  • Exploitation Speed: Many 2025 CVEs added shortly after disclosure, reflecting faster weaponization by threat actors.

Impact and Recommendations

  • Heightened Ransomware Exposure: With 24 KEV entries tied to extortion operations, organizations face elevated risks of data breaches and operational disruptions.
  • Enterprise Vendor Concentration: Heavy Microsoft and multi-vendor hits demand prioritized patching in Windows ecosystems and network appliances.
  • Legacy System Vulnerabilities: Rising older flaw exploitation highlights the dangers of end-of-life software in critical environments.
  • Global Threat Acceleration: Faster additions signal broader attacker sophistication, from ransomware affiliates to nation-states.

Recommendations for Organizations

  • Integrate KEV Prioritization: Feed the catalog into vulnerability management programs for risk-based patching ahead of standard schedules.
  • Accelerate Remediation: Apply patches for KEV entries within days/weeks, aligning with BOD 22-01 timelines even for non-federal entities.
  • Hunt for Legacy Exposures: Scan environments for pre-2025 vulnerabilities, especially in internet-facing systems.
  • Enhance Detection: Deploy EDR/XDR tools to monitor for exploitation indicators of high-profile KEV flaws like CitrixBleed variants
  • Build Resilience: Maintain offline backups, segment networks, and conduct ransomware simulations.
  • Collaborate on Intelligence: Share IOCs via ISACs or partners to stay ahead of emerging exploit chains.

As exploitation trends accelerate into 2026, treating the KEV Catalog as a core defense benchmark is no longer optional—it’s essential for staying ahead of real-world adversaries.

“For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.” Cybersecurity and Infrastructure Security Agency (CISA

Source and full details

Read the full CISA Known Exploited Vulnerabilities Catalog here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Follow us on
© 2026 ByteVanguard • Independent Cyber Threat Intelligence