The US cybersecurity agency CISA is now aware of 1,484 software and hardware vulnerabilities that have been exploited in the wild.
Throughout 2025, the agency added 245 security defects to its Known Exploited Vulnerabilities (KEV) list, including 24 bugs that have been exploited in ransomware attacks.
CISA’s KEV list has been growing steadily since its public release in November 2021, and last year marked its largest expansion rate over a three-year period, at 20%.
“After an initial surge of added vulnerabilities after the database first launched, growth stabilized in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 in 2024,” cybersecurity firm Cyble explains.
Most of the weaknesses added to the KEV catalog in 2025 were new vulnerabilities, but CISA did not ignore older bugs either. Last year, 94 flaws disclosed in 2024 and prior were added to the list.
The oldest vulnerability added to the CISA KEV in 2025 was CVE-2007-0671, a remote code execution (RCE) issue in Microsoft Office.
As Cyble notes, “the oldest vulnerability in the catalog remains one from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks.”
Of the 24 security defects exploited by ransomware groups, the widely exploited CitrixBleed 2 (CVE-2025-5777) and Oracle E-Business Suite (CVE-2025-61882 and CVE-2025-61884) flaws stand out, mainly due to their broad impact.
New vulnerabilities in Fortinet, Ivanti, Microsoft, Mitel, SAP, and SonicWall products have been targeted in ransomware attacks as well.
Cyble’s analysis of the 2025 additions to the CISA KEV list shows that OS command injection, deserialization of untrusted data, path traversal, use-after-free, out-of-bounds write, XSS, code injection, and improper authentication were the most prominent types of bugs.
Federal agencies, organizations of all sizes, and software developers should monitor the KEV list to better protect their environments and increase awareness of the most common weaknesses that threat actors are targeting in attacks.
Related: CISA Warns of Exploited Flaw in Asus Update Tool
Related: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack
Related: CISA Confirms Exploitation of Recent Oracle Identity Manager Vulnerability
Related: CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks
