CISA Known Exploited Vulnerabilities (KEV)
156 vulnerabilities confirmed by CISA to be actively exploited in the wild. These require immediate attention — they are not theoretical risks, attackers are using them right now.
CVE-2025-42999 is a deserialization vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that allows privileged users to upload malicious ...
Added to KEV: May 15, 2025A type confusion vulnerability in Microsoft Scripting Engine allows remote attackers to execute arbitrary code by sending specially crafted network re...
Added to KEV: May 13, 2025This vulnerability is a use-after-free flaw in the Windows Common Log File System Driver that allows an authenticated attacker to execute arbitrary co...
Added to KEV: May 13, 2025This vulnerability allows an authorized attacker with local access to exploit improper input validation in the Windows Common Log File System Driver t...
Added to KEV: May 13, 2025A null pointer dereference vulnerability in Windows Ancillary Function Driver for WinSock allows authenticated attackers to execute arbitrary code wit...
Added to KEV: May 13, 2025This CVE describes an out-of-bounds write vulnerability in FreeType versions 2.13.0 and below when parsing TrueType GX and variable font files. The vu...
Added to KEV: May 6, 2025CVE-2025-3248 is an unauthenticated remote code execution vulnerability in Langflow's /api/v1/validate/code endpoint. Attackers can send crafted HTTP ...
Added to KEV: May 5, 2025This CVE describes a security regression in Yii 2 framework where improper handling of behavior attachment via __class array keys can lead to remote c...
Added to KEV: May 2, 2025CVE-2025-31324 is an unauthenticated remote code execution vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that allows attackers to u...
Added to KEV: Apr 29, 2025CVE-2025-42599 is a critical stack-based buffer overflow vulnerability in Active! mail 6 that allows remote unauthenticated attackers to execute arbit...
Added to KEV: Apr 28, 2025CVE-2025-3928 is a vulnerability in Commvault Web Server that allows authenticated remote attackers to create and execute webshells, potentially leadi...
Added to KEV: Apr 28, 2025This vulnerability allows local admin users on Brocade Fabric OS to escalate privileges to root level, enabling arbitrary code execution. It affects F...
Added to KEV: Apr 28, 2025This vulnerability in Windows NTLM allows an attacker to manipulate file paths or names externally, enabling network spoofing attacks. It affects Wind...
Added to KEV: Apr 17, 2025This is a critical memory corruption vulnerability in Apple's media processing that allows remote code execution via malicious audio streams. Attacker...
Added to KEV: Apr 17, 2025This is a local privilege escalation vulnerability in the Windows Common Log File System Driver. An authenticated attacker can exploit a use-after-fre...
Added to KEV: Apr 8, 2025This vulnerability in Gladinet CentreStack allows remote code execution through deserialization attacks. Threat actors who obtain the hardcoded machin...
Added to KEV: Apr 8, 2025This critical authentication bypass vulnerability in CrushFTP allows unauthenticated attackers to gain administrative access by exploiting a race cond...
Added to KEV: Apr 7, 2025A stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways allows remote unauthenticated attackers to execu...
Added to KEV: Apr 4, 2025This vulnerability in Apache Tomcat allows path traversal attacks via internal dot handling in filenames, potentially leading to remote code execution...
Added to KEV: Apr 1, 2025This vulnerability in Google Chrome's Mojo IPC system on Windows allows remote attackers to escape the browser sandbox via a malicious file. Users run...
Added to KEV: Mar 27, 2025CVE-2025-30154 is a supply chain attack where the reviewdog/action-setup GitHub Action was compromised with malicious code that exfiltrates exposed se...
Added to KEV: Mar 24, 2025CVE-2024-48248 is an absolute path traversal vulnerability in NAKIVO Backup & Replication that allows unauthenticated attackers to read arbitrary file...
Added to KEV: Mar 19, 2025The Edimax IC-7100 network camera has an OS command injection vulnerability (CWE-78) that allows remote code execution. Attackers can send specially c...
Added to KEV: Mar 19, 2025CVE-2025-30066 is a supply chain attack where malicious commits were injected into the tj-actions/changed-files GitHub Action, allowing attackers to e...
Added to KEV: Mar 18, 2025This authentication bypass vulnerability in FortiOS and FortiProxy allows remote unauthenticated attackers to gain super-admin privileges on downstrea...
Added to KEV: Mar 18, 2025A local privilege escalation vulnerability in Juniper Junos OS kernel allows attackers with shell access to inject arbitrary code and compromise devic...
Added to KEV: Mar 13, 2025This critical vulnerability allows malicious web content to break out of the Web Content sandbox via an out-of-bounds write issue, potentially enablin...
Added to KEV: Mar 13, 2025This is a use-after-free vulnerability in the Windows Win32 Kernel Subsystem that allows an authenticated attacker to execute arbitrary code with elev...
Added to KEV: Mar 11, 2025This vulnerability allows sensitive information to be written to Windows NTFS log files, which could be accessed by an attacker with physical access t...
Added to KEV: Mar 11, 2025An integer overflow vulnerability in the Windows Fast FAT driver allows local attackers to execute arbitrary code with elevated privileges. This affec...
Added to KEV: Mar 11, 2025A heap-based buffer overflow vulnerability in Windows NTFS allows local attackers to execute arbitrary code with elevated privileges. This affects Win...
Added to KEV: Mar 11, 2025CVE-2025-26633 is a security feature bypass vulnerability in Microsoft Management Console (MMC) that allows a local attacker to circumvent security co...
Added to KEV: Mar 11, 2025This vulnerability in Advantive VeraCore allows authenticated remote users to upload files to unintended folders, potentially exposing sensitive files...
Added to KEV: Mar 10, 2025CVE-2024-13159 is an absolute path traversal vulnerability in Ivanti Endpoint Manager (EPM) that allows remote unauthenticated attackers to access sen...
Added to KEV: Mar 10, 2025This vulnerability allows remote unauthenticated attackers to perform absolute path traversal attacks on Ivanti Endpoint Manager (EPM) systems, potent...
Added to KEV: Mar 10, 2025This CVE describes a TOCTOU vulnerability in VMware ESXi and Workstation that allows local administrative users within a virtual machine to execute ar...
Added to KEV: Mar 4, 2025This vulnerability allows attackers with administrative privileges on a virtual machine to read memory from the host's vmx process, potentially exposi...
Added to KEV: Mar 4, 2025An improper access control vulnerability in Microsoft Power Pages allows unauthorized attackers to bypass user registration controls and elevate privi...
Added to KEV: Feb 21, 2025An authenticated file read vulnerability in Palo Alto Networks PAN-OS software allows authenticated attackers with management web interface access to ...
Added to KEV: Feb 20, 2025This is a remote code execution vulnerability in Craft CMS versions 4 and 5 that allows attackers to execute arbitrary code on affected systems. The v...
Added to KEV: Feb 20, 2025An authentication bypass vulnerability in Palo Alto Networks PAN-OS software allows unauthenticated attackers with network access to the management we...
Added to KEV: Feb 18, 2025This is a post-authentication command injection vulnerability in Zyxel VMG4325-B10A DSL CPE devices that allows authenticated attackers to execute arb...
Added to KEV: Feb 11, 2025This is a post-authentication command injection vulnerability in Zyxel VMG4325-B10A DSL CPE devices. An authenticated attacker can execute arbitrary o...
Added to KEV: Feb 11, 2025This Windows Storage Elevation of Privilege vulnerability allows authenticated attackers to gain SYSTEM-level privileges by exploiting improper handli...
Added to KEV: Feb 11, 2025This vulnerability in Windows Ancillary Function Driver for WinSock allows attackers to gain SYSTEM-level privileges by exploiting a heap-based buffer...
Added to KEV: Feb 11, 2025This vulnerability allows authenticated users to execute arbitrary code on Trimble Cityworks servers via deserialization attacks. It affects organizat...
Added to KEV: Feb 7, 2025This vulnerability allows attackers to bypass Windows' Mark-of-the-Web security feature when extracting files with 7-Zip. Attackers can craft maliciou...
Added to KEV: Feb 6, 2025This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows malicious applications to elevate privileges. It af...
Added to KEV: Jan 29, 2025A critical pre-authentication deserialization vulnerability in SonicWall SMA1000 management consoles allows remote unauthenticated attackers to execut...
Added to KEV: Jan 24, 2025This is a critical command injection vulnerability in Aviatrix Controller that allows unauthenticated attackers to execute arbitrary operating system ...
Added to KEV: Jan 16, 2025What is the CISA KEV Catalog?
The CISA Known Exploited Vulnerabilities (KEV) catalog is a curated list maintained by the Cybersecurity and Infrastructure Security Agency (CISA). Every CVE in this catalog has been confirmed to be actively exploited by threat actors in real-world attacks.
Binding Operational Directive 22-01 requires all US federal agencies to remediate KEV vulnerabilities within specified timeframes. While non-federal organizations are not legally bound, CISA strongly recommends all organizations prioritize KEV entries for immediate patching.
Why KEV matters more than CVSS alone: A vulnerability with a "medium" CVSS score that appears in the KEV catalog is objectively more dangerous than a "critical" CVSS vulnerability that has never been exploited. KEV represents real, confirmed threat activity — not theoretical risk assessments.
Get Instant KEV Alerts
Be the first to know when a CVE affecting your systems gets added to CISA's KEV catalog.
Start Monitoring Free