After stabilizing in 2024, the pace of newly exploited vulnerabilities accelerated significantly in 2025, according to Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog.
In 2023, the KEV catalog grew by about 21%, with 187 vulnerabilities added. Growth slowed slightly in 2024 to roughly 17%, with 185 new entries. However, 2025 saw a sharp rebound: 245 vulnerabilities were added, marking a 20% increase and pushing the total number of high-risk flaws in the catalog to 1,484. This figure is more than 30% higher than the previous two-year trend of 185–187 annual additions. Cyble’s report also examined ransomware-linked vulnerabilities, vendors and projects with the most KEV entries (including several that improved), and the most common software weaknesses (CWEs) exploited in 2025.
Older Vulnerabilities See Uptick
The number of older vulnerabilities added to the KEV catalog also rose in 2025. CISA added 94 vulnerabilities from 2024 or earlier—up nearly 45% from the 2023–2024 average of 65. The oldest vulnerability added last year was CVE-2007-0671, a Microsoft Office Excel remote code execution flaw. The oldest vulnerability in the catalog remains CVE-2002-0367, a Windows NT/2000 privilege escalation bug known to be exploited by ransomware groups. CISA also removed at least one entry in 2025: CVE-2025-6264, a Velociraptor permissions issue, due to insufficient evidence of exploitation.
Ransomware-Linked Vulnerabilities
Of the 245 vulnerabilities added in 2025, 24 were confirmed to be exploited by ransomware groups. These include high-profile flaws such as CVE-2025-5777 (“CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware gang. Vendors most affected by ransomware-related exploits included Fortinet, Ivanti, Microsoft, Mitel, Oracle, and SonicWall.
Top Vendors and Projects
Microsoft led all vendors in KEV additions for 2025, with 39 vulnerabilities—up from 36 in 2024. Apple, Cisco, Google Chromium, Ivanti, and Linux each had between 7 and 9 vulnerabilities added. Several vendors improved year-over-year, including Adobe, Android, Apache, Palo Alto Networks, and VMware, suggesting stronger security controls.
Most Common Software Weaknesses
Eight CWEs were particularly prevalent among 2025 KEV additions, mirroring trends from 2024:
- CWE-78 – OS Command Injection (18 vulnerabilities)
- CWE-502 – Deserialization of Untrusted Data (14)
- CWE-22 – Path Traversal (13)
- CWE-416 – Use After Free (11)
- CWE-787 – Out-of-Bounds Write (10)
- CWE-79 – Cross-Site Scripting (7)
- CWE-94 – Code Injection (6)
- CWE-287 – Improper Authentication (6)
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
