CISA KEV Catalog Expands: Sharp Increase in Actively Exploited Vulnerabilities in 2025
In recent years, cybersecurity has become one of the most pressing global challenges. Vulnerabilities that are actively exploited in real-world attacks pose the greatest risk to organizations. In this context, the Known Exploited Vulnerabilities (KEV) Catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) plays a critically important role.
As of December 2025, the number of vulnerabilities listed in the CISA KEV Catalog reached 1,484. This figure is not only a significant statistical milestone, but also a clear indicator of the growing level of real-world cyber threats.
KEV Catalog: Background and Significance
The KEV Catalog was first launched in November 2021 with 311 vulnerabilities. Its key distinction lies in its focus on vulnerabilities that are actively exploited in the wild, rather than relying solely on traditional CVSS severity scores. Only vulnerabilities that have been proven to be used by attackers in real attacks are included.
Over the past four years, the catalog has expanded rapidly:
| Year | Vulnerabilities Added | Total Count |
|---|---|---|
| 2021 | 311 | 311 |
| 2022 | 555 | 866 |
| 2023 | 187 | 1,053 |
| 2024 | 186 | 1,239 |
| 2025 | 245 | 1,484 |
The addition of 245 new vulnerabilities in 2025 is particularly noteworthy, representing a 20–30% increase compared to the average growth in 2023–2024. This trend indicates either increased attacker activity or significantly improved vulnerability discovery and threat intelligence capabilities.
KEV and BOD 22-01: Mandatory Requirements
The KEV Catalog is maintained under CISA’s Binding Operational Directive (BOD) 22-01, which is mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies. The directive requires:
- CVE vulnerabilities disclosed after 2021 must be remediated within two weeks;
- Vulnerabilities disclosed before 2021 must be fixed within six months.
Although these requirements are mandatory only for federal agencies, CISA strongly recommends that private-sector organizations also adopt the KEV Catalog as a primary source for vulnerability prioritization.
Ransomware and KEV: A Dangerous Combination
Analysis from 2025 revealed one of the most alarming findings:
304 out of 1,484 vulnerabilities (20.5%) in the KEV Catalog have been directly linked to ransomware attacks.
In 2025 alone, 24 new vulnerabilities were confirmed to be exploited by ransomware operators, including:
- CVE-2025-5777 (CitrixBleed 2) — a memory disclosure vulnerability in Citrix NetScaler;
- Multiple SSRF and zero-day vulnerabilities affecting Oracle E-Business Suite;
- Security flaws in widely used enterprise platforms such as Fortra GoAnywhere MFT, Microsoft SharePoint, and SAP NetWeaver.
Most notably, Microsoft leads with 100 ransomware-related vulnerabilities, followed by Fortinet, Ivanti, and Oracle. This underscores the fact that widely deployed platforms remain prime targets for attackers.
Vendor-Based Risk Landscape
Vulnerabilities in the KEV Catalog are unevenly distributed across vendors:
| Vendor | Number of Vulnerabilities |
|---|---|
| Microsoft | 350 |
| Apple | 86 |
| Cisco | 82 |
| Adobe | 76 |
| 67 | |
| Oracle | 42 |
| Apache | 38 |
| Ivanti | 30 |
| VMware | 26 |
| D-Link | 25 |
Microsoft accounts for nearly 24% of all listed vulnerabilities, largely due to its extensive product ecosystem and market dominance. At the same time, a decline in vulnerabilities among vendors such as Adobe, Apache, VMware, and Palo Alto Networks in 2025 suggests improvements in secure software development practices.
Most Frequently Exploited Vulnerability Types (CWE)
The KEV Catalog also highlights the underlying nature of these vulnerabilities. The most common CWE categories include:
- CWE-20 — Improper Input Validation (113 cases);
- CWE-78 — OS Command Injection (97 cases);
- CWE-787 — Out-of-Bounds Write (96 cases);
- CWE-416 — Use-After-Free (86 cases);
- CWE-502 — Deserialization of Untrusted Data (58 cases).
These statistics indicate that many security issues still originate during the software development phase. Memory-related vulnerabilities remain especially prevalent in systems written in C and C++.
Conclusion and Recommendations
The rapid expansion of the KEV Catalog in 2025 highlights a critical reality of modern cybersecurity:
attackers prioritize vulnerabilities that work in practice, not those that exist only in theory.
Today, the KEV Catalog is one of the most reliable sources for identifying real-world threats—not only for U.S. federal agencies, but for organizations of all sizes and sectors.
🛡 Practical Recommendations:
- Implement a prioritized patch management process based on the KEV Catalog;
- Maintain an accurate and up-to-date asset inventory;
- Monitor dark web and threat intelligence sources;
- Strengthen backup strategies and network segmentation to mitigate ransomware risks.
In today’s threat landscape, the KEV Catalog is not merely a list—it is a strategic roadmap for defending against real-world cyberattacks.
