CISA Known Exploited Vulnerabilities (KEV)
156 vulnerabilities confirmed by CISA to be actively exploited in the wild. These require immediate attention — they are not theoretical risks, attackers are using them right now.
BeyondTrust Remote Support and older Privileged Remote Access versions contain a critical pre-authentication remote code execution vulnerability. Unau...
Added to KEV: Feb 13, 2026CVE-2024-43468 is a critical SQL injection vulnerability in Microsoft Configuration Manager that allows remote attackers to execute arbitrary code on ...
Added to KEV: Feb 12, 2026A memory corruption vulnerability in Apple operating systems allows attackers with memory write capability to execute arbitrary code. This affects wat...
Added to KEV: Feb 12, 2026This vulnerability allows attackers to intercept Notepad++ update traffic and replace legitimate updates with malicious installers. When users update ...
Added to KEV: Feb 12, 2026SolarWinds Web Help Desk contains a security control bypass vulnerability that allows unauthenticated attackers to access restricted functionality. Th...
Added to KEV: Feb 12, 2026This vulnerability in the MSHTML Framework allows attackers to bypass security protections remotely, potentially enabling unauthorized access or code ...
Added to KEV: Feb 10, 2026This vulnerability in Microsoft Office Word allows attackers to bypass local security features by manipulating untrusted inputs. It affects users runn...
Added to KEV: Feb 10, 2026This vulnerability allows an authorized attacker with valid Remote Desktop credentials to elevate privileges on a Windows system. It affects Windows s...
Added to KEV: Feb 10, 2026A protection mechanism failure in Windows Shell allows attackers to bypass security features over a network, potentially enabling unauthorized access ...
Added to KEV: Feb 10, 2026CVE-2025-11953 is a critical OS command injection vulnerability in the React Native Community CLI's Metro Development Server. Unauthenticated attacker...
Added to KEV: Feb 5, 2026This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on SmarterMail servers by pointing them to maliciou...
Added to KEV: Feb 5, 2026FreePBX Endpoint Manager's filestore module contains a post-authentication command injection vulnerability in the SSH test connection function. Authen...
Added to KEV: Feb 3, 2026SolarWinds Web Help Desk has an unauthenticated remote code execution vulnerability via untrusted data deserialization. Attackers can execute arbitrar...
Added to KEV: Feb 3, 2026This vulnerability allows unauthorized external users to perform Server Side Request Forgery (SSRF) attacks through GitLab's CI Lint API. Attackers ca...
Added to KEV: Feb 3, 2026CVE-2026-1281 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows unauthenticated attackers to execute arb...
Added to KEV: Jan 29, 2026This authentication bypass vulnerability allows attackers with a FortiCloud account and registered device to log into other organizations' Fortinet de...
Added to KEV: Jan 27, 2026This vulnerability in Microsoft Office allows an attacker to bypass local security features by manipulating untrusted inputs. It affects users running...
Added to KEV: Jan 26, 2026This vulnerability in GNU Inetutils telnetd allows remote attackers to bypass authentication by setting the USER environment variable to '-f root'. Th...
Added to KEV: Jan 26, 2026CVE-2026-23760 is an authentication bypass vulnerability in SmarterMail's password reset API that allows unauthenticated attackers to reset administra...
Added to KEV: Jan 26, 2026This critical vulnerability allows unauthenticated attackers to upload arbitrary files to any location on vulnerable SmarterMail servers, potentially ...
Added to KEV: Jan 26, 2026This CVE describes a supply chain compromise where malicious versions of eslint-config-prettier contain embedded malware. Installing affected package ...
Added to KEV: Jan 22, 2026This CVE describes an authentication bypass vulnerability in the Versa Concerto SD-WAN orchestration platform's Traefik reverse proxy configuration. A...
Added to KEV: Jan 22, 2026An unauthenticated remote attacker can exploit this Local File Inclusion vulnerability in Zimbra Collaboration's Webmail Classic UI to read arbitrary ...
Added to KEV: Jan 22, 2026Vite development servers configured to expose content to the network can leak sensitive file contents through specific query parameters (?inline&impor...
Added to KEV: Jan 22, 2026This critical vulnerability allows unauthenticated remote attackers to execute arbitrary commands on affected Cisco Unified Communications systems by ...
Added to KEV: Jan 21, 2026This vulnerability in Desktop Windows Manager allows an authorized attacker with local access to disclose sensitive information from the system. It af...
Added to KEV: Jan 13, 2026CVE-2025-8110 is a path traversal vulnerability in Gogs' PutContents API that allows improper symbolic link handling, enabling authenticated attackers...
Added to KEV: Jan 12, 2026This vulnerability allows unauthenticated clients to read uninitialized heap memory from MongoDB servers by exploiting mismatched length fields in Zli...
Added to KEV: Dec 29, 2025This vulnerability allows remote attackers to execute arbitrary commands on Digiever DS-2105 Pro devices through command injection in the time_tzsetup...
Added to KEV: Dec 22, 2025A critical out-of-bounds write vulnerability in WatchGuard Fireware OS allows remote unauthenticated attackers to execute arbitrary code on affected s...
Added to KEV: Dec 19, 2025This CVE describes a local privilege escalation vulnerability in SonicWall SMA1000 appliances where insufficient authorization in the management conso...
Added to KEV: Dec 17, 2025This CVE describes a supply chain compromise where unauthorized modifications were introduced into certain ASUS Live Update client versions. The modif...
Added to KEV: Dec 17, 2025An unauthenticated remote attacker can execute arbitrary system commands with root privileges on Cisco Secure Email Gateway and Cisco Secure Email and...
Added to KEV: Dec 17, 2025This vulnerability in Gladinet CentreStack and Triofox involves hardcoded AES encryption keys, allowing attackers to decrypt sensitive data and potent...
Added to KEV: Dec 15, 2025A use-after-free vulnerability in Apple's WebKit browser engine allows processing malicious web content to execute arbitrary code. This affects multip...
Added to KEV: Dec 15, 2025This vulnerability allows remote attackers to perform out-of-bounds memory access in ANGLE (Almost Native Graphics Layer Engine) in Google Chrome on m...
Added to KEV: Dec 12, 2025This vulnerability in WinRAR allows attackers to execute arbitrary code by tricking users into opening malicious archive files containing specially cr...
Added to KEV: Dec 9, 2025This CVE describes a command injection vulnerability in Array Networks ArrayOS AG VPN appliances. Attackers can execute arbitrary commands on affected...
Added to KEV: Dec 8, 2025A critical pre-authentication remote code execution vulnerability exists in React Server Components where unsafe deserialization of HTTP payloads allo...
Added to KEV: Dec 5, 2025This vulnerability in Android's DevicePolicyManagerService allows an attacker to add a Device Owner after device provisioning due to a logic error. Th...
Added to KEV: Dec 2, 2025This Android vulnerability allows malicious apps to launch activities from the background without proper permissions, enabling local privilege escalat...
Added to KEV: Dec 2, 2025This critical vulnerability in Oracle Identity Manager allows unauthenticated attackers to remotely compromise the system via HTTP requests, leading t...
Added to KEV: Nov 21, 2025A type confusion vulnerability in Chrome's V8 JavaScript engine allows attackers to trigger heap corruption by tricking the engine into treating one d...
Added to KEV: Nov 19, 2025This OS command injection vulnerability in Fortinet FortiWeb web application firewalls allows authenticated attackers to execute arbitrary commands on...
Added to KEV: Nov 18, 2025A relative path traversal vulnerability in Fortinet FortiWeb web application firewalls allows attackers to execute administrative commands via crafted...
Added to KEV: Nov 14, 2025An out-of-bounds write vulnerability in WatchGuard Fireware OS allows remote unauthenticated attackers to execute arbitrary code on affected systems. ...
Added to KEV: Nov 12, 2025This Windows Kernel race condition vulnerability allows authenticated local attackers to escalate privileges by exploiting improper synchronization of...
Added to KEV: Nov 12, 2025CVE-2025-48703 allows unauthenticated attackers to execute arbitrary commands on CWP (Control Web Panel) servers by injecting shell metacharacters int...
Added to KEV: Nov 4, 2025An unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and TrioFox allows attackers to read sensitive system files without cred...
Added to KEV: Nov 4, 2025This CVE describes a local privilege escalation vulnerability in VMware Aria Operations and VMware Tools. A malicious local user with non-administrati...
Added to KEV: Oct 30, 2025What is the CISA KEV Catalog?
The CISA Known Exploited Vulnerabilities (KEV) catalog is a curated list maintained by the Cybersecurity and Infrastructure Security Agency (CISA). Every CVE in this catalog has been confirmed to be actively exploited by threat actors in real-world attacks.
Binding Operational Directive 22-01 requires all US federal agencies to remediate KEV vulnerabilities within specified timeframes. While non-federal organizations are not legally bound, CISA strongly recommends all organizations prioritize KEV entries for immediate patching.
Why KEV matters more than CVSS alone: A vulnerability with a "medium" CVSS score that appears in the KEV catalog is objectively more dangerous than a "critical" CVSS vulnerability that has never been exploited. KEV represents real, confirmed threat activity — not theoretical risk assessments.
Get Instant KEV Alerts
Be the first to know when a CVE affecting your systems gets added to CISA's KEV catalog.
Start Monitoring Free