KEV 2025

Android Framework — Integer Overflow Local Privilege Escalation via Targeted Exploitation

Langflow AI Workflow Platform — CORS Misconfiguration + SameSite=None Cookie Enables Cross-Origin Token Theft Leading to Arbitrary Python RCE; Obsidian Security Disclosure; Active Exploitation January 2026

Windows Host Process for Tasks (taskhostw.exe) — Symbolic Link Abuse Leading to SYSTEM Privilege Escalation

D-Link DIR-823X (EoL) — Root RCE via Command Injection in set_prohibiting

Kentico Xperience — Authenticated Path Traversal in Staging Sync Server Leading to Remote Code Execution

Apple iOS/Safari — WebKit/JavaScriptCore JIT Buffer Overflow; DarkSword Exploit Chain (UNC6748, PARS Defense, UNC6353)

Apple iOS/macOS/watchOS — DarkSword Chain Shared-Memory LPE; Targeted Spyware Deployment

SolarWinds Web Help Desk — CSRF Bypass via /ajax/ URI Injection; Chains with CVE-2025-40551 for Unauthenticated RCE; 3-Day Emergency Deadline

Notepad++ WinGUp Updater — No Crypto Verification of Updates; Hosting Provider Compromise Enables Trojanized Installer Delivery

Roundcube Webmail — SVG animate Tag XSS Bypasses rcube_washtml Sanitizer; Persistent Zero-Click Session Theft

Sangoma FreePBX Endpoint Manager — Post-Auth OS Command Injection via SSH Test Function

Zimbra ZCS — /h/rest Servlet Path Traversal File Inclusion; APT Target; Session Credential Exfiltration

Gogs Git Server — Symlink Path Traversal in PutContents API; Authenticated Repo User Can Read/Write Arbitrary Files; Wiz Research

Versa Concerto SD-WAN — Traefik Header Drop Bypasses Actuator Auth; Part of 3-CVE Chain for Unauthenticated RCE

npm eslint-config-prettier — Maintainer Account Compromise via Phishing; node-gyp.dll Malware on Windows; 30M+ Weekly Downloads

Apple iOS/macOS — WebKit UAF Zero-Day; Mercenary Spyware Targeting; Apple's 9th Exploited Zero-Day of 2025

Google Chrome ANGLE — OOB Memory Access on macOS; Same-Day KEV Listing as Patch; Affects All Chromium-Based Browsers

OSGeo GeoServer — Pre-Auth XXE via WMS GetMap; Arbitrary File Read and SSRF; New Year's Day 2026 CISA Deadline

WinRAR Windows — Earlier Path Traversal (June 2025); KEV-Listed December 2025; Distinct from CVE-2025-8088; Fixed in 7.20

Windows Cloud Files Mini Filter Driver (cldflt.sys) — UAF Local Privilege Escalation; December 2025 Patch Tuesday Zero-Day

Android Framework — Background Activity Launch Restriction Bypass; Limited Targeted Exploitation; December 2025

MongoDB — Unauthenticated Heap Memory Leak via Zlib Inconsistent Length Fields; Pre-Auth Confidentiality Impact

Array Networks ArrayOS AG — Authenticated Command Injection via DesktopDirect; Webshell Deployment; JPCERT-Confirmed Active Exploitation

Google Chrome V8 — Type Confusion Heap Corruption; November 2025 Zero-Day; Affects All Chromium-Based Browsers

Samsung Mobile — libimagecodec.quram.so OOB Write; Linked to Landfall Commercial Spyware (Unit 42); April 2025 SMR

Gladinet CentreStack/Triofox — Unauthenticated Local File Inclusion; Third Gladinet CVE of 2025; Systemic Access Control Deficit

Fortinet FortiWeb — Authenticated OS Command Injection; 7-Day CISA Deadline; 22k+ Exposed Appliances

Windows Kernel — Double-Free Race Condition; Local Privilege Escalation to SYSTEM; November 2025 Patch Tuesday Zero-Day

Microsoft Windows — SMB Client Coercion Attack; Credential Relay / Privilege Escalation via Malicious Script

Samsung Mobile — libimagecodec.quram.so OOB Write; Reported by Meta/WhatsApp; Android 13–16; September 2025 SMR

Smartbedded Meteobridge — Unauthenticated Root Command Injection in Weather Station Bridge; IoT Botnet Recruitment Risk

Dassault Systèmes DELMIA Apriso — Authenticated File Upload Code Injection; Step 2 of CVE-2025-6205 → RCE Chain; ICS/MES Target

VMware Aria Operations / VMware Tools — SDMP get_versions.sh Unsafe Path; UNC5174 (China) Zero-Day for ~1 Year Before Patch

Windows Agere Modem Driver (ltmdm64.sys) — 2006 Legacy Driver IOCTL Pointer Dereference; Microsoft Removes Driver Entirely

Windows Remote Access Connection Manager — Local Privilege Escalation to SYSTEM; October 2025 Patch Tuesday Zero-Day

Oracle EBS Configurator — SSRF → XSL SSTI RCE Chain; Cl0p/FIN11 Mass Extortion Campaign; SAGE Malware Framework

Android Runtime — ART UAF Chrome Sandbox Escape; Paired with CVE-2025-38352 for Full Kernel LPE; Limited Targeted Exploitation

Cisco IOS/IOS XE — SNMP Stack Overflow; DoS with Low Priv, RCE with Admin Creds; Active Exploitation Confirmed

Linux Kernel — POSIX CPU Timer TOCTOU Race; Android September 2025 Zero-Day; Kernel Memory Corruption

TP-Link Archer C7 / WR841N — Authenticated Command Injection via Parental Control; EOL Hardware; CISA Recommends Discontinue Use

N-able N-Central RMM — Authenticated Command Injection; 7-Day Emergency CISA Deadline; MSP Supply-Chain Risk

WinRAR Windows — Path Traversal via ...// Archive Entry Names; Amaranth Dragon (APT41-linked) and RomCom Exploitation; Fixed in 7.13

Git — Pre-Auth RCE via Carriage Return in Submodule Path (Linux/macOS)

N-able N-Central RMM — Java Deserialization RCE; Paired with CVE-2025-8876 Command Injection; 7-Day Emergency Deadline

Microsoft SharePoint Server — Authenticated Code Injection; 1-Day CISA Deadline; Chains with CVE-2025-49706; Patch Bypassed by CVE-2025-53770

Google Chrome ANGLE/GPU — Sandbox Escape via GPU Process; Affects All Chromium-Based Browsers; July 2025 Zero-Day

Google Chrome V8 — Type Confusion Arbitrary Read/Write; Fourth Chrome Zero-Day of 2025; June 2025

Citrix NetScaler ADC/Gateway — Pre-Auth OOB Read Memory Disclosure; 1-Day CISA Emergency Deadline; Ransomware Exploitation

Microsoft Windows — .url File WorkingDirectory WebDAV Code Execution; June 2025 Patch Tuesday Zero-Day

Google Chrome V8 — OOB Read/Write Heap Corruption; Third Chrome Zero-Day of 2025; June 2025

Qualcomm Adreno GPU — Second Unauthorized GPU Micronode Command Execution Vulnerability; June 2025 Bulletin (Companion to CVE-2025-21480)

Qualcomm Adreno GPU — Unauthorized GPU Micronode Command Execution Enabling Memory Corruption; June 2025 Bulletin

ConnectWise ScreenConnect — ViewState Code Injection via Exposed Machine Key; RCE on Server; April 2025 Security Patch

Qualcomm Adreno GPU — UAF via Chrome Renderer; Remote Exploitation via Malicious Web Content; June 2025 Bulletin

FreeType — TrueType GX / Variable Font OOB Write; Android/Linux/macOS Affected; Meta Reports Active Exploitation

Windows Desktop Window Manager — DwmCore.dll UAF Local Privilege Escalation; May 2025 Patch Tuesday Zero-Day

Windows CLFS Driver — UAF Local Privilege Escalation; May 2025 Patch Tuesday Zero-Day (One of Three Simultaneous)

Windows CLFS Driver — Heap Overflow Local Privilege Escalation; May 2025 Patch Tuesday Zero-Day

Microsoft Windows — AFD.sys Use-After-Free; Local Privilege Escalation to Administrator; May 2025 Patch Tuesday Zero-Day

Windows Scripting Engine — Type Confusion RCE via Crafted URL; May 2025 Patch Tuesday Zero-Day

Srimax Output Messenger — Path Traversal to Startup Folder Persistence; Marbled Dust Targets Kurdish Military in Iraq

Ivanti EPMM — Remote Code Execution via Spring EL Injection in Feature Usage API, Chained with Auth Bypass for Pre-Auth RCE

Commvault Web Server — Authenticated Webshell Creation via Unspecified Flaw; Ransomware-Group Exploitation

Windows CLFS Driver — Zero-Day UAF Used by Storm-2460 to Deploy RansomEXX; April 2025 Patch Tuesday

reviewdog/action-setup — CI/CD Supply Chain Cascade: Upstream Compromise Enables Downstream tj-actions Attack

tj-actions/changed-files — CI/CD Supply Chain Attack Dumps Secrets to Workflow Logs; 23,000+ Repos Affected; Coinbase Initial Target

Google Chrome Mojo (Windows) — IPC Handle Logic Error Enables Sandbox Escape; Operation ForumTroll Russian APT; March 2025 Zero-Day

VMware ESXi — VMX Process Arbitrary Kernel Write → Host Escape; Part of VMSA-2025-0004 Guest Escape Chain; Ransomware Exploitation

Fortinet FortiOS/FortiProxy — Auth Bypass via CSF Proxy Requests → Super-Admin; Ransomware Active Exploitation

Windows Fast FAT Driver (fastfat.sys) — Integer Overflow via Malicious Disk Image; March 2025 Patch Tuesday Zero-Day

Windows NTFS Driver — Heap Overflow via Malicious .vhd File; March 2025 Patch Tuesday Zero-Day

VMware ESXi/Workstation/Fusion — HGFS OOB Read Leaks vmx Process Memory; Part of VMSA-2025-0004 Guest Escape Chain

Windows Win32k Kernel Subsystem — UAF Local Privilege Escalation; March 2025 Patch Tuesday Zero-Day

Windows MMC — MSC EvilTwin .msc File Security Bypass; EncryptHub/Larva-208 Zero-Day; RansomHub Delivery

Trimble Cityworks — Authenticated .NET Deserialization RCE Against IIS Web Server; Targets Government and Utility Infrastructure

Microsoft Power Pages — Unauthenticated Privilege Escalation via Registration Bypass; Microsoft Discloses Active Exploitation of Customer Portals

Craft CMS — Database Backup Path Code Injection; RCE When Security Key is Known to Attacker

Windows AFD (afd.sys) — Heap Overflow Local Privilege Escalation to SYSTEM; February 2025 Patch Tuesday Zero-Day

Windows Storage — Symlink Following Enables Arbitrary File Deletion; February 2025 Patch Tuesday Zero-Day

7-Zip — MotW Not Propagated to Extracted Files; Windows SmartScreen Bypass; Russian SmokeLoader Phishing Campaigns

Windows Hyper-V NT Kernel VSP — Heap Overflow Guest-to-Host LPE; January 2025 Patch Tuesday (One of Three Simultaneous Hyper-V Zero-Days)

Windows Hyper-V NT Kernel VSP — UAF Guest-to-Host LPE; January 2025 Patch Tuesday (One of Three Simultaneous Hyper-V Zero-Days)

Windows Hyper-V NT Kernel VSP — UAF Guest-to-Host LPE; January 2025 Patch Tuesday (Third of Three Simultaneous Hyper-V Zero-Days)