180 CISA Known Exploited Vulnerabilities from 2025
Quest KACE SMA — Unauthenticated SSO Authentication Bypass Enabling Full Administrative Takeover
CVSS 10Craft CMS Craft CMS — Craft CMS Code Injection Vulnerability
CVSS 10SmarterTools SmarterMail — SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
CVSS 10Hewlett Packard Enterprise (HPE) OneView — Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability
CVSS 10Cisco Multiple Products — Cisco Multiple Products Improper Input Validation Vulnerability
CVSS 10Meta React Server Components — Meta React Server Components Remote Code Execution Vulnerability
CVSS 10Adobe Experience Manager (AEM) Forms — Adobe Experience Manager Forms Code Execution Vulnerability
CVSS 10Fortra GoAnywhere MFT — Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
CVSS 10Apple iOS, iPadOS, and macOS — Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
CVSS 10Cisco Identity Services Engine — Cisco Identity Services Engine Injection Vulnerability
CVSS 10Cisco Identity Services Engine — Cisco Identity Services Engine Injection Vulnerability
CVSS 10Wing FTP Server Wing FTP Server — Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
CVSS 10Erlang Erlang/OTP — Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability
CVSS 10Commvault Command Center — Commvault Command Center Path Traversal Vulnerability
CVSS 10SAP NetWeaver — SAP NetWeaver Unrestricted File Upload Vulnerability
CVSS 10Apple Multiple Products — Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability
CVSS 10Apple Multiple Products — Apple Multiple Products Use-After-Free Vulnerability
CVSS 10n8n n8n — n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
CVSS 9.9Roundcube Webmail — RoundCube Webmail Deserialization of Untrusted Data Vulnerability
CVSS 9.9Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense — Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability
CVSS 9.9Wazuh Wazuh Server — Wazuh Server Deserialization of Untrusted Data Vulnerability
CVSS 9.9F5 BIG-IP APM — Remote Code Execution via Malicious Traffic to Access Policy Virtual Server
CVSS 9.8Laravel Livewire — Laravel Livewire Code Injection Vulnerability
CVSS 9.8SolarWinds Web Help Desk — SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
CVSS 9.8React Native Community CLI — React Native Community CLI OS Command Injection Vulnerability
CVSS 9.8SolarWinds Web Help Desk — SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
CVSS 9.8WatchGuard Firebox — WatchGuard Firebox Out of Bounds Write Vulnerability
CVSS 9.8ASUS Live Update — ASUS Live Update Embedded Malicious Code Vulnerability
CVSS 9.8Fortinet Multiple Products — Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
CVSS 9.8Gladinet CentreStack and Triofox — Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
CVSS 9.8Oracle Fusion Middleware — Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability
CVSS 9.8Fortinet FortiWeb — Fortinet FortiWeb Path Traversal Vulnerability
CVSS 9.8WatchGuard Firebox — WatchGuard Firebox Out-of-Bounds Write Vulnerability
CVSS 9.8XWiki Platform — XWiki Platform Eval Injection Vulnerability
CVSS 9.8Microsoft Windows — Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
CVSS 9.8LANSCOPE Endpoint Manager — Unauthenticated Remote Code Execution via Spoofed Communication Channel, Exploited by Chinese APT Bronze Butler
CVSS 9.8Kentico Xperience CMS — Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVSS 9.8Kentico Xperience CMS — Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVSS 9.8Oracle E-Business Suite — Oracle E-Business Suite Unspecified Vulnerability
CVSS 9.8Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 9.8Sangoma FreePBX — Sangoma FreePBX Authentication Bypass Vulnerability
CVSS 9.8Citrix NetScaler — Citrix NetScaler Memory Overflow Vulnerability
CVSS 9.8Microsoft SharePoint — Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
CVSS 9.8Fortinet FortiWeb — Fortinet FortiWeb SQL Injection Vulnerability
CVSS 9.8Citrix NetScaler ADC and Gateway — Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
CVSS 9.8Samsung MagicINFO 9 Server — Samsung MagicINFO 9 Server Path Traversal Vulnerability
CVSS 9.8Fortinet Multiple Products — Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability
CVSS 9.8Langflow Langflow — Langflow Missing Authentication Vulnerability
CVSS 9.8Qualitia Active! Mail — Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
CVSS 9.8Apple Multiple Products — Apple Multiple Products Memory Corruption Vulnerability
CVSS 9.8Apple Multiple Products — Apple Multiple Products Arbitrary Read and Write Vulnerability
CVSS 9.8CrushFTP CrushFTP — CrushFTP Authentication Bypass Vulnerability
CVSS 9.8Apache Tomcat — Apache Tomcat Path Equivalence Vulnerability
CVSS 9.8Edimax IC-7100 IP Camera — Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVSS 9.8SonicWall SMA1000 Appliances — SonicWall SMA1000 Appliances Deserialization Vulnerability
CVSS 9.8Trend Micro Apex One — Trend Micro Apex One OS Command Injection Vulnerability
CVSS 9.4Sudo Sudo — Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
CVSS 9.3SysAid SysAid On-Prem — SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
CVSS 9.3SysAid SysAid On-Prem — SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
CVSS 9.3VMware ESXi and Workstation — VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVSS 9.3Gladinet Triofox — Gladinet Triofox Improper Access Control Vulnerability
CVSS 9.1Dassault Systèmes DELMIA Apriso — Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
CVSS 9.1Adobe Commerce and Magento — Adobe Commerce and Magento Improper Input Validation Vulnerability
CVSS 9.1SAP NetWeaver — SAP NetWeaver Deserialization Vulnerability
CVSS 9.1Palo Alto Networks PAN-OS — Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
CVSS 9.1CWP Control Web Panel — CWP Control Web Panel OS Command Injection Vulnerability
CVSS 9Dassault Systèmes DELMIA Apriso — Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
CVSS 9Sitecore Multiple Products — Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
CVSS 9CrushFTP CrushFTP — CrushFTP Unprotected Alternate Channel Vulnerability
CVSS 9Gladinet CentreStack — Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
CVSS 9Ivanti Connect Secure, Policy Secure, and ZTA Gateways — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
CVSS 9Ivanti Connect Secure, Policy Secure, and ZTA Gateways — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
CVSS 9Apple Multiple Products — Apple Multiple Products Buffer Overflow Vulnerability
CVSS 8.8Synacor Zimbra Collaboration Suite (ZCS) — Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVSS 8.8Gogs Gogs — Gogs Path Traversal Vulnerability
CVSS 8.8Apple Multiple Products — Apple Multiple Products Use-After-Free WebKit Vulnerability
CVSS 8.8Google Chromium — Google Chromium Out of Bounds Memory Access Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 8.8Samsung Mobile Devices — Samsung Mobile Devices Out-of-Bounds Write Vulnerability
CVSS 8.8Microsoft Windows — Microsoft Windows SMB Client Improper Access Control Vulnerability
CVSS 8.8Samsung Mobile Devices — Samsung Mobile Devices Out-of-Bounds Write Vulnerability
CVSS 8.8Smartbedded Meteobridge — Smartbedded Meteobridge Command Injection Vulnerability
CVSS 8.8Android Runtime — Android Runtime Use-After-Free Vulnerability
CVSS 8.8N-able N-Central — N-able N-Central Command Injection Vulnerability
CVSS 8.8RARLAB WinRAR — RARLAB WinRAR Path Traversal Vulnerability
CVSS 8.8Microsoft SharePoint — Microsoft SharePoint Code Injection Vulnerability
CVSS 8.8Google Chromium — Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
CVSS 8.8Microsoft Windows — Microsoft Windows External Control of File Name or Path Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
CVSS 8.8Commvault Web Server — Commvault Web Server Unspecified Vulnerability
CVSS 8.8Trimble Cityworks — Trimble Cityworks Deserialization Vulnerability
CVSS 8.8Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
CVSS 8.6Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
CVSS 8.6reviewdog action-setup GitHub Action — reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVSS 8.6tj-actions changed-files GitHub Action — tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
CVSS 8.6Google Chromium Mojo — Google Chromium Mojo Sandbox Escape Vulnerability
CVSS 8.3OSGeo GeoServer — OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
CVSS 8.2VMware ESXi — VMware ESXi Arbitrary Write Vulnerability
CVSS 8.2Microsoft Power Pages — Microsoft Power Pages Improper Access Control Vulnerability
CVSS 8.2SolarWinds Web Help Desk — SolarWinds Web Help Desk Security Control Bypass Vulnerability
CVSS 8.1Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 8.1ConnectWise ScreenConnect — ConnectWise ScreenConnect Improper Authentication Vulnerability
CVSS 8.1FreeType FreeType — FreeType Out-of-Bounds Write Vulnerability
CVSS 8.1Fortinet FortiOS and FortiProxy — Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
CVSS 8.1Dassault Systèmes DELMIA Apriso — Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
CVSS 8Git Git — Git Link Following Vulnerability
CVSS 8Craft CMS Craft CMS — Craft CMS Code Injection Vulnerability
CVSS 8Windows Host Process for Tasks (taskhostw.exe) — Symbolic Link Abuse Leading to SYSTEM Privilege Escalation
CVSS 7.8Apple Multiple Products — Apple Multiple Products Improper Locking Vulnerability
CVSS 7.8RARLAB WinRAR — RARLAB WinRAR Path Traversal Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Use After Free Vulnerability
CVSS 7.8Android Framework — Android Framework Privilege Escalation Vulnerability
CVSS 7.8Broadcom VMware Aria Operations and VMware Tools — Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Untrusted Pointer Dereference Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Improper Access Control Vulnerability
CVSS 7.8N-able N-Central — N-able N-Central Insecure Deserialization Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows DWM Core Library Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Fast FAT File System Driver Integer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
CVSS 7.8Cisco IOS and IOS XE — Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability
CVSS 7.7Notepad++ Notepad++ — Notepad++ Download of Code Without Integrity Check Vulnerability
CVSS 7.5Versa Concerto — Versa Concerto Improper Authentication Vulnerability
CVSS 7.5Prettier eslint-config-prettier — Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
CVSS 7.5MongoDB MongoDB and MongoDB Server — MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability
CVSS 7.5Gladinet CentreStack and Triofox — Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
CVSS 7.5Oracle E-Business Suite — Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVSS 7.5Citrix NetScaler ADC and Gateway — Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
CVSS 7.5Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Use-After-Free Vulnerability
CVSS 7.5Microsoft Windows — Microsoft Windows Scripting Engine Type Confusion Vulnerability
CVSS 7.5Linux Kernel — Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability
CVSS 7.4D-Link DIR-823X (EoL) — Root RCE via Command Injection in set_prohibiting
CVSS 7.2Kentico Xperience — Authenticated Path Traversal in Staging Sync Server Leading to Remote Code Execution
CVSS 7.2Roundcube Webmail — RoundCube Webmail Cross-site Scripting Vulnerability
CVSS 7.2Sangoma FreePBX — Sangoma FreePBX OS Command Injection Vulnerability
CVSS 7.2Array Networks ArrayOS AG — Array Networks ArrayOS AG OS Command Injection Vulnerability
CVSS 7.2Fortinet FortiWeb — Fortinet FortiWeb OS Command Injection Vulnerability
CVSS 7.2TP-Link Multiple Routers — TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
CVSS 7.2Srimax Output Messenger — Srimax Output Messenger Directory Traversal Vulnerability
CVSS 7.2Ivanti EPMM — Remote Code Execution via Spring EL Injection in Feature Usage API, Chained with Auth Bypass for Pre-Auth RCE
CVSS 7.2VMware ESXi, Workstation, and Fusion — VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability
CVSS 7.1Microsoft Windows — Microsoft Windows Storage Link Following Vulnerability
CVSS 7.1Microsoft Windows — Microsoft Windows Race Condition Vulnerability
CVSS 7Microsoft Windows — Microsoft Windows Win32k Use-After-Free Vulnerability
CVSS 7Microsoft Windows — Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability
CVSS 77-Zip 7-Zip — 7-Zip Mark of the Web Bypass Vulnerability
CVSS 7Broadcom Brocade Fabric OS — Broadcom Brocade Fabric OS Code Injection Vulnerability
CVSS 6.7SonicWall SMA1000 appliance — SonicWall SMA1000 Missing Authorization Vulnerability
CVSS 6.6Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense — Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability
CVSS 6.5Microsoft SharePoint — Microsoft SharePoint Improper Authentication Vulnerability
CVSS 6.5Microsoft Windows — Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
CVSS 6.5Palo Alto Networks PAN-OS — Palo Alto Networks PAN-OS File Read Vulnerability
CVSS 6.5Zimbra ZCS — Stored XSS in Classic UI via Crafted Email HTML with @import Directives
CVSS 6.1Synacor Zimbra Collaboration Suite (ZCS) — Stored Cross-Site Scripting via CSS @import in Classic UI
CVSS 6.1Libraesva Email Security Gateway — Libraesva Email Security Gateway Command Injection Vulnerability
CVSS 6.1Apple iOS and iPadOS — Apple iOS and iPadOS Incorrect Authorization Vulnerability
CVSS 6.1Advantive VeraCore — Advantive VeraCore SQL Injection Vulnerability
CVSS 5.8Apple Multiple Products — Apple Multiple Products Classic Buffer Overflow Vulnerability
CVSS 5.5Android Framework — Android Framework Information Disclosure Vulnerability
CVSS 5.5Microsoft Windows — Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability
CVSS 5.5Zimbra ZCS — Stored XSS via ICS Calendar ontoggle Event, Zero-Day Exploited Against Brazilian Military
CVSS 5.4Meta Platforms WhatsApp — Meta Platforms WhatsApp Incorrect Authorization Vulnerability
CVSS 5.4Vite Vitejs — Vite Vitejs Improper Access Control Vulnerability
CVSS 5.3TeleMessage TM SGNL — TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
CVSS 5.3Craft CMS Craft CMS — Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
CVSS 5.3Ivanti EPMM — Authentication Bypass via Missing Spring Security Intercept Rules, Enabling Unauthenticated RCE Chain
CVSS 5.3IGEL IGEL OS — IGEL OS Use of a Key Past its Expiration Date Vulnerability
CVSS 4.6Microsoft Windows — Microsoft Windows NTFS Information Disclosure Vulnerability
CVSS 4.6Juniper Junos OS — Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability
CVSS 4.4Wing FTP Server — Information Disclosure via Overlong UID Cookie in loginok.html
CVSS 4.3Apple Multiple Products — Apple Multiple Products Unspecified Vulnerability
CVSS 4.2TeleMessage TM SGNL — TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
CVSS 4TeleMessage TM SGNL — TeleMessage TM SGNL Hidden Functionality Vulnerability
CVSS 1.9