In 2025, the cybersecurity landscape witnessed a noticeable acceleration in the number of exploited software and hardware vulnerabilities, with the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog reflecting a significant growth trend. According to a recent analysis by Cyble, the KEV catalog expanded from 1,239 entries at the end of 2024 to 1,484 by the end of 2025, marking nearly a 20% increase year-over-year.
What Is the CISA KEV Catalog?
The KEV Catalog is an authoritative list maintained by CISA that identifies vulnerabilities with confirmed evidence of exploitation in the wild — meaning attackers are actively using these bugs to breach systems. This list helps organizations prioritize patching and mitigation efforts based on real threat activity rather than theoretical risks or severity scores alone.
2025 Growth: Trends and Drivers
2025’s rise in KEV entries wasn’t just incremental — it represented an accelerated pace of exploitation, driven by a mix of newly discovered flaws and older bugs resurfacing with renewed attacker interest.
1. Large Volume of Additions Throughout the Year
CISA consistently updated the KEV list with new exploited vulnerabilities throughout 2025, including:
- 245 new vulnerabilities added over the year, the bulk forming the year’s growth.
- Frequent smaller updates, such as additions of one, five, or seven exploited vulnerabilities at a time, reflecting ongoing active exploitation globally.
2. Older Vulnerabilities Still a Threat
Adding to the catalog’s expansion were older vulnerabilities — some dating back years — that attackers continued to use successfully:
- The number of pre-2024 vulnerabilities added increased in 2025, underscoring persistent risks from historically known bugs that were never fully remediated.
3. Exploits Used by Ransomware Groups
A notable trend in 2025 was the identification of 24 vulnerabilities exploited by ransomware gangs, including notorious bugs like CitrixBleed and others leveraged in high-impact attacks.
| Vulnerabilities Exploited by Ransomware Groups | |
| CVE-2025-5777 | Citrix NetScaler ADC and Gateway Out-of-Bounds Read |
| CVE-2025-31161 | CrushFTP Authentication Bypass |
| CVE-2019-6693 | Fortinet FortiOS Use of Hard-Coded Credentials |
| CVE-2025-24472 | Fortinet FortiOS and FortiProxy Authentication Bypass |
| CVE-2024-55591 | Fortinet FortiOS and FortiProxy Authentication Bypass |
| CVE-2025-10035 | Fortra GoAnywhere MFT Deserialization of Untrusted Data |
| CVE-2025-22457 | Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow |
| CVE-2025-0282 | Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow |
| CVE-2025-55182 | Meta React Server Components Remote Code Execution |
| CVE-2025-49704 | Microsoft SharePoint Code Injection |
| CVE-2025-49706 | Microsoft SharePoint Improper Authentication |
| CVE-2025-53770 | Microsoft SharePoint Deserialization of Untrusted Data |
| CVE-2025-29824 | Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free |
| CVE-2025-26633 | Microsoft Windows Management Console (MMC) Improper Neutralization |
| CVE-2018-8639 | Microsoft Windows Win32k Improper Resource Shutdown or Release |
| CVE-2024-55550 | Mitel MiCollab Path Traversal |
| CVE-2024-41713 | Mitel MiCollab Path Traversal |
| CVE-2025-61884 | Oracle E-Business Suite Server-Side Request Forgery (SSRF) |
| CVE-2025-61882 | Oracle E-Business Suite Unspecified |
| CVE-2023-48365 | Qlik Sense HTTP Tunneling |
| CVE-2025-31324 | SAP NetWeaver Unrestricted File Upload |
| CVE-2024-57727 | SimpleHelp Path Traversal |
| CVE-2024-53704 | SonicWall SonicOS SSLVPN Improper Authentication |
| CVE-2025-23006 | SonicWall SMA1000 Appliances Deserialization |
Examples of Newly Exploited Vulnerabilities in 2025
Across 2025, multiple significant security flaws were flagged and added to the KEV list, highlighting a broad range of targets:
- Critical Linux/Unix flaw in Sudo, enabling local root exploitation.
- React Server Components vulnerability (RSC) with unsafe deserialization leading to remote code execution.
- Adobe AEM flaw observed under active attack before catalog addition.
- Meteobridge IoT security issue widely exploited.
These examples illustrate that exploitation activity spans both core software infrastructure and specialized device and application environments.
11 vendors and projects had five or more KEV vulnerabilities added this year, included below.
| Vendor/project | CISA KEV additions in 2025 |
| Microsoft | 39 |
| Apple | 9 |
| Cisco | 8 |
| Fortinet | 8 |
| Google Chromium | 7 |
| Ivanti | 7 |
| Linux Kernel | 7 |
| Citrix | 5 |
| D-Link | 5 |
| Oracle | 5 |
| SonicWall | 5 |
Why This Matters for Organizations
The growing KEV catalog has real implications:
- Prioritization of patching becomes essential, especially for those vulnerabilities actively weaponized in the wild.
- Legacy systems remain targets — older vulnerabilities often continue to be exploited long after initial disclosure, especially in unpatched environments.
- Ransomware threat landscape intensifies when exploited flaws are linked to extortion and data theft campaigns.
Cybersecurity professionals now rely on KEV as a critical input — but not the sole indicator — in broader vulnerability management and risk prioritization strategies.
Looking Ahead: 2026 and Beyond
With CISA’s catalog continuing to expand, the trend suggests that attackers are not slowing down. Organizations across public and private sectors must adopt threat-aware patching, real-time monitoring, and contextual risk assessment to keep pace with evolving exploitation patterns. Higher exploitation velocity — including the emergence of ransomware abuse — underscores why prioritizing known exploited vulnerabilities must remain a cornerstone of defensive cybersecurity.
