CISA KEV Catalog H1 2025 Analysis

---

The CISA Known Exploited Vulnerabilities (KEV) Catalog is a critical resource designed to enhance cybersecurity defenses by identifying vulnerabilities actively exploited in the wild. Throughout the first half of 2025, this catalog has seen a consistent influx of new entries reflecting the evolving and dynamic threat landscape faced by organizations globally. Understanding the trends and characteristics of these additions is essential for security teams aiming to prioritize remediation efforts and reduce exposure to real-world attacks.

This analysis explores the volume, pace, and nature of vulnerabilities added to the KEV Catalog during the first six months of 2025, shedding light on key affected technologies, exploitation patterns, and the operational imperatives for effective vulnerability management.

1. Volume and Frequency of New Vulnerabilities

• In the first quarter (Q1) of 2025 alone, 73 new vulnerabilities were added to the CISA KEV Catalog—reflecting the continued high volume of actively exploited vulnerabilities that organizations must address. This dynamic addition maintains the catalog’s role as a current, actionable list of real-world exploited flaws.
• Across Q1 2025, there was evidence of 159 unique CVEs exploited in the wild for the first time, indicating that while the KEV catalog tracks many of these, the full exploitation landscape is broader. The catalog prioritizes vulnerabilities with confirmed, verifiable exploitation, ensuring focus on the highest impact threats.
• The weekly average addition in early 2025 was about 11.4 new KEVs per week and approximately 53 per month, underscoring the rapid pace at which exploitable vulnerabilities emerge and require mitigation.

2. Categories of Affected Software and Devices

• The most targeted product categories in H1 2025 emphasize internet-exposed and infrastructure-critical systems:
• Content Management Systems (CMS): 35 vulnerabilities, reflecting attackers’ interest in web platforms that can serve as entry points or command centers.
• Network Edge Devices: Including routers and firewall appliances, with 29 vulnerabilities, a common attacker focus to gain network footholds.
• Operating Systems: 24 new vulnerabilities, showing continued targeting of underlying platforms essential to enterprise environments.
• Open Source and Server Software: 14 vulnerabilities each, indicating growing exploitation of open source components and core server applications, often widely deployed.
• Attackers appear to deprioritize desktop applications and browsers as primary targets this period, focusing more on systemic infrastructure components.

3. Vendor Impact and Popular Targets

• Key affected vendors/products with multiple vulnerabilities in H1 2025 include:
• Microsoft Windows: 15 vulnerabilities, showing continued focus on the ubiquitous OS.
• Broadcom VMware: 6 vulnerabilities, critical in virtualization environments.
• Cyber PowerPanel: 5 vulnerabilities.
• Litespeed Technologies and Totolink Routers: 4 vulnerabilities each, illustrating the ongoing threats against web servers and network devices.
• Additionally, high-risk vulnerabilities were found in major remote access and enterprise products such as BeyondTrust PRA/RS, Qlik Sense, DrayTek routers, SAP NetWeaver, and Google Chrome, highlighting the importance of patching widely used but complex enterprise software platforms.

4. Notable Vulnerabilities from H1 2025

• DrayTek Vigor Routers (CVE-2024-12987): OS command injection vulnerability actively exploited in campaigns targeting network infrastructure.
• Google Chromium Loader (CVE-2025-4664): Initially included for exploitation, later removed after review due to absence of sufficient exploitation evidence.
• SAP NetWeaver (CVE-2025-42999): Critical deserialization vulnerability enabling full system control, representing a severe risk to enterprise SAP environments.
• Qlik Sense Enterprise for Windows (CVE-2023-48365): HTTP tunneling vulnerability with a CVSS of 9.9, allowing privilege escalation and remote exploitation.
• Advantive VeraCore SQL Injection (CVE-2025-25181): Severe SQL injection flaw impacting commercial systems, widely exploited beginning in March 2025.

5. Exploitation Timelines and Risk Management Implications

• One of the most critical findings from Q1 data is that 28.3% of new KEVs were exploited within just one day of CVE disclosure. This rapid exploitation leaves extremely short windows for defenders to identify, prioritize, test, and deploy patches before potential exploitation.
• The CISA KEV Catalog updates as soon as exploitation evidence emerges, pushing organizations to adopt continuous, automated vulnerability intelligence ingestion and fast remediation cycles.
• While Binding Operational Directive 22-01 requires federal entities to patch within roughly two weeks of KEV listing, the real-world urgency applies broadly across sectors due to the high likelihood of exploitation.

6. Strategic and Operational Takeaways

• The first half of 2025 strongly reinforces that the speed of exploitation weaponization continues to accelerate, with attackers able to exploit vulnerabilities faster than traditional patching cycles allow.
• The KEV Catalog remains the gold standard for prioritizing remediation — its curated list helps organizations focus resources on the vulnerabilities that matter most for immediate risk reduction.
• Organizations need to integrate KEV monitoring directly into their security operations workflows, ensuring that monitoring, patching, incident response, and compensating controls work in concert and react promptly to catalog updates.
• Special attention should be given to patching product categories heavily targeted in H1 2025 — especially CMS, network edge, operating systems, and critical enterprise applications.
• Because many exploited vulnerabilities affect infrastructure and remote access platforms, zero-trust, network segmentation, and strong multifactor authentication are essential defense layers to reduce the risk of lateral or privilege escalation attacks while patches are deployed.

Summary of Best Practices Moving Forward

• Automate KEV Catalog updates to alert and drive prioritization within asset and vulnerability management systems.
• Map KEV-listed vulnerabilities against asset inventories expeditiously to identify at-risk systems.
• Implement emergency patching or rapid temporary mitigations for newly added KEVs, especially those with high-risk scores or known active exploitation.
• Increase threat hunting and logging scrutiny around recently issued KEVs to detect early signs of exploitation.
• Strengthen network controls and access management to limit attack surfaces exposed by newly exploited vulnerabilities, minimizing potential impact during patching delays.

This highlights the urgent and evolving challenges defenders face when managing vulnerabilities actively exploited in the wild during the first half of 2025. Continuous vigilance and alignment with the KEV catalog remain indispensable components of an effective vulnerability risk management program.