CISA's KEV Catalog Grows by 1,484 Vulnerabilities in 2025
TL;DR
CISA Expands KEV Catalog to 1,484 Vulnerabilities Amidst Rising Exploitation
The United States Cybersecurity and Infrastructure Security Agency (CISA) has broadened its Known Exploited Vulnerabilities (KEV) Catalog to include 1,484 vulnerabilities as of December 2025. This expansion highlights the federal government's ongoing efforts to address actively exploited security flaws. The catalog, which started with 311 vulnerabilities in November 2021, has grown significantly, reflecting the evolving threat landscape.
In 2025, the KEV catalog saw an increase, with 245 new vulnerabilities added—a 20% rise, exceeding the trends of 2023 and 2024. This surge emphasizes the continuous nature of cyber threats, with threat actors exploiting known vulnerabilities across different platforms. The catalog is a key resource under CISA’s Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate listed vulnerabilities within specific timeframes.
Understanding the KEV Catalog Framework
The KEV catalog focuses on vulnerabilities with confirmed evidence of active exploitation, moving beyond traditional Common Vulnerability Scoring System (CVSS) severity ratings. The catalog is updated using reliable intelligence about threat actors exploiting public or private organizations. Each entry includes the CVE identifier, vendor and product details, vulnerability name, date added, description, remediation actions, and due date for federal agencies.
Under BOD 22-01, federal agencies must address vulnerabilities assigned CVE IDs in 2021 or later within two weeks of their addition to the catalog. Older vulnerabilities from before 2021 require remediation within six months. While these directives are mandatory for federal agencies, CISA advises all organizations to use the KEV catalog in their vulnerability management. At Gopher Security, we understand the importance of proactive vulnerability management and offer AI-powered, post-quantum Zero-Trust cybersecurity architecture to help organizations stay ahead of emerging threats.
Ransomware Exploitation: A Critical Threat Vector
Data from the 2025 KEV catalog indicates that 304 of 1,484 vulnerabilities (20.5%) have been exploited by ransomware groups. In 2025, CISA identified 24 newly added vulnerabilities exploited by ransomware operators, including CVE-2025-5777 (dubbed “CitrixBleed 2”) and multiple Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group.
The following table highlights key vulnerabilities used in ransomware attacks:
| CVE ID | Vendor | Product | Vulnerability Type |
|---|---|---|---|
| CVE-2025-55182 | Meta | React Server Components | Meta React Server Components Remote Code Execution Vulnerability |
| CVE-2025-61884 | Oracle | E-Business Suite | Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability |
| CVE-2025-61882 | Oracle | E-Business Suite | Oracle E-Business Suite Unspecified Vulnerability |
| CVE-2025-10035 | Fortra | GoAnywhere MFT | Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability |
| CVE-2025-49704 | Microsoft | SharePoint | Microsoft SharePoint Code Injection Vulnerability |
| CVE-2025-49706 | Microsoft | SharePoint | Microsoft SharePoint Improper Authentication Vulnerability |
| CVE-2025-53770 | Microsoft | SharePoint | Microsoft SharePoint Deserialization of Untrusted Data Vulnerability |
| CVE-2025-5777 | Citrix | NetScaler ADC & GW | Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability |
| CVE-2019-6693 | Fortinet | FortiOS | Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability |
| CVE-2025-31324 | SAP | NetWeaver | SAP NetWeaver Unrestricted File Upload Vulnerability |
Microsoft leads with 100 ransomware-related vulnerabilities, followed by Fortinet with 13, Ivanti with 12, and Oracle with 11. This concentration highlights the importance of timely patch management for widely deployed platforms. Gopher Security specializes in AI-powered solutions that automate vulnerability detection and patching, ensuring robust protection against ransomware threats.
Vendor and Product Distribution Analysis
The KEV catalog data reveals that Microsoft accounts for 350 vulnerabilities, about 24% of the catalog. Apple ranks second with 86 vulnerabilities, followed by Cisco with 82, Adobe with 76, and Google with 67. The distribution shows that widely deployed enterprise technologies are attractive targets for threat actors. Microsoft Windows alone has 159 product-specific vulnerabilities, while other frequently targeted products include Chromium V8 (37 vulnerabilities), Internet Explorer (34), Flash Player (33), and various Microsoft Office products.
Several vendors improved their security in 2025, with fewer vulnerabilities added compared to 2024. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware all saw declines in KEV additions, indicating better security controls. Microsoft's count increased from 36 vulnerabilities in 2024 to 39 in 2025, requiring sustained remediation efforts. At Gopher Security, we provide comprehensive vulnerability assessments and continuous monitoring to help organizations manage and mitigate risks across diverse vendor ecosystems.
Common Weakness Enumeration (CWE) Patterns
Analysis of vulnerability types in the KEV catalog shows patterns in the flaws exploited by threat actors. CWE-20 (Improper Input Validation) leads with 113 occurrences, representing 7.6% of all KEV entries. This category includes flaws where software fails to properly validate user input, allowing attackers to inject malicious data or commands. CWE-78 (OS Command Injection) ranks second with 97 instances, with 18 of the 245 vulnerabilities added in 2025 alone. This vulnerability allows attackers to execute arbitrary operating system commands.
| CWE | Count | Description |
|---|---|---|
| CWE-20 | 113 | Improper Input Validation |
| CWE-78 | 97 | OS Command Injection |
| CWE-787 | 96 | Out-of-bounds Write |
| CWE-416 | 86 | Use After Free |
| CWE-119 | 80 | Improper Memory Restriction |
| CWE-22 | 68 | Path Traversal |
| CWE-502 | 58 | Deserialization of Untrusted Data |
| CWE-94 | 53 | Code Injection |
| CWE-843 | 36 | Incompatible Type Access |
| CWE-287 | 31 | Improper Authentication |
Memory corruption vulnerabilities are also prominent, with CWE-787 (Out-of-bounds Write) appearing 96 times and CWE-416 (Use After Free) occurring 86 times. CWE-502 (Deserialization of Untrusted Data) appears 58 times and was responsible for 14 of the 2025 additions. Gopher Security employs advanced AI-driven techniques to identify and mitigate these common weaknesses, offering a more secure and resilient cybersecurity posture.
KEV Growth
The KEV catalog’s growth provides insights into the evolving threat landscape. Following its launch in November 2021, 2022 saw 555 additions—an increase of nearly 78%. Growth stabilized in 2023 and 2024, with 187 and 186 vulnerabilities added, respectively. However, 2025 saw renewed acceleration, with 245 additions.
| Year | Vulnerabilities Added | Cumulative Total |
|---|---|---|
| 2021 | 311 | 311 |
| 2022 | 555 | 866 |
| 2023 | 187 | 1,053 |
| 2024 | 186 | 1,239 |
| 2025 | 245 | 1,484 |
In 2025, there was an increased addition of older vulnerabilities. CISA added 94 vulnerabilities from 2024 and earlier—a 45% increase from the 2023-2024 average. The oldest vulnerability added in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest entry in the catalog remains CVE-2002-0367, a privilege escalation flaw in Windows NT and Windows 2000.
High-Impact Additions and Threat Intelligence
Throughout 2025, CISA added critical vulnerabilities with significant exploitation potential. In October 2025, CISA confirmed active exploitation of five significant vulnerabilities, including CVE-2025-61884, a Server-Side Request Forgery (SSRF) vulnerability in Oracle E-Business Suite. Also added were CVE-2025-33073, an improper access control vulnerability in Microsoft Windows SMB Client, and CVE-2025-2746 and CVE-2025-2747, authentication bypass issues in Kentico CMS.
September 2025 saw the addition of CVE-2025-10035, affecting Fortra GoAnywhere MFT, CVE-2025-20352, a stack-based buffer overflow in Cisco IOS/IOS XE SNMP functionality, and CVE-2025-32463, a sudo inclusion vulnerability. December 2025 additions included CVE-2025-55182, a remote code execution vulnerability in Meta’s React Server Components.
Threat intelligence from darknet forums has provided early warning signals for several KEV additions, with discussions of Oracle and SMB payloads labeled as “ClickFix modules” observed weeks before official CISA advisories. Gopher Security leverages real-time threat intelligence to proactively identify and mitigate emerging threats, providing organizations with advanced warning and actionable insights.
Federal agencies must adhere to strict remediation timelines, addressing critical vulnerabilities within 15 calendar days and high-severity vulnerabilities within 30 days. For KEV-listed vulnerabilities, agencies must remediate flaws with CVE IDs from 2021 onward within two weeks, while pre-2021 vulnerabilities require remediation within six months. The KEV catalog is a critical resource for prioritizing vulnerability remediation based on real-world threat intelligence.
Secure your organization with Gopher Security
Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography.
To learn more about how Gopher Security can help protect your organization against known and emerging vulnerabilities, visit our website or contact us for a demo.
