Known Exploited Vulnerabilities

The Known Exploited Vulnerabilities catalog (KEV) is an authoritative, publicly available list of security vulnerabilities that have been actively exploited in the wild. Maintained by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with organizations like NIST and MITRE, the KEV catalog is designed to help organizations prioritize remediation efforts by focusing attention on vulnerabilities that present the most immediate and significant risks .

Key characteristics of the KEV catalog:

Includes only vulnerabilities with evidence of active exploitation by malicious actors, based on analysis from security vendors, researchers, government, and open-source reporting .
Each entry has an assigned CVE ID (Common Vulnerabilities and Exposures identifier) and clear, actionable remediation guidance, such as vendor patches or mitigation steps .
The catalog is updated regularly as new exploited vulnerabilities are identified and confirmed .
Federal civilian executive branch (FCEB) agencies are required by law (Binding Operational Directive 22-01) to remediate KEV-listed vulnerabilities within set timeframes, but CISA strongly encourages all organizations—including those in the private sector and state/local governments—to use the catalog to enhance their security posture .

Benefits and usage:

Prioritization: By focusing on vulnerabilities that are already being exploited, organizations can allocate resources more efficiently and reduce the risk of compromise .
Actionable intelligence: The catalog provides detailed information, including affected products, exploitation status (such as use in ransomware campaigns), and links to vendor advisories or patches .
Community defense: By addressing KEV-listed vulnerabilities, organizations contribute to the overall resilience of the cybersecurity ecosystem.

How to access and use:

The KEV catalog is freely available in formats like CSV and JSON for easy integration with vulnerability management tools.
Organizations are encouraged to subscribe to updates and incorporate KEV entries into their vulnerability management and patching workflows .

Synonyms:

KEV

CISA adds Wing FTP Server vulnerability to the Known Exploited Vulnerabilities (KEV) catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a new critical vulnerability, CVE-2025-47812, affecting Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) Catalog. This action follows confirmed reports of active exploitation in the wild, underscoring the urgent need for organizations to address this security risk immediately.
Over 100 organizations have been comprised and thousands of systems remain vulnerable to CitrixBleed2.
CitrixBleed 2 has led to successful cyberattacks on more than 100 organizations, but according to cybersecurity researchers and U.S. federal agencies, thousands of internet-facing NetScaler appliances are still unpatched and exposed to active exploitation.
Israeli developed TeleMessage SGNL messaging app, widely adopted by U.S. government agencies, financial institutions, legal firms, is being exploited by malicious actors.
A critical vulnerability affecting TeleMessage SGNL, a secure enterprise messaging and compliance platform modeled after Signal, is currently being exploited by malicious actors. The flaw—tracked as CVE-2025-48927—allows unauthenticated attackers to access sensitive memory dumps containing highly confidential user data.
Microsoft SharePoint ToolShell attacks linked to Chinese-state hackers.
A major wave of cyberattacks, referred to as “ToolShell,” has recently targeted Microsoft SharePoint servers around the world. These attacks have been attributed to Chinese state-linked hackers and have affected government agencies, critical infrastructure, universities, and multinational corporations. The campaign exploited a chain of zero-day vulnerabilities in on-premises versions of Microsoft SharePoint, allowing for unauthenticated remote code execution and full system compromise.
SparTech Software – Cybersecurity News Bytes (July 22, 2025 1:21 PM)

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Related