180 CISA Known Exploited Vulnerabilities from 2025
Craft CMS Craft CMS — Craft CMS Code Injection Vulnerability
CVSS 10n8n n8n — n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
CVSS 9.9F5 BIG-IP APM — Remote Code Execution via Malicious Traffic to Access Policy Virtual Server
CVSS 9.8Laravel Livewire — Laravel Livewire Code Injection Vulnerability
CVSS 9.8SolarWinds Web Help Desk — SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
CVSS 9.8Roundcube Webmail — RoundCube Webmail Deserialization of Untrusted Data Vulnerability
CVSS 9.9React Native Community CLI — React Native Community CLI OS Command Injection Vulnerability
CVSS 9.8SolarWinds Web Help Desk — SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
CVSS 9.8SmarterTools SmarterMail — SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
CVSS 10Hewlett Packard Enterprise (HPE) OneView — Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability
CVSS 10Cisco Multiple Products — Cisco Multiple Products Improper Input Validation Vulnerability
CVSS 10Meta React Server Components — Meta React Server Components Remote Code Execution Vulnerability
CVSS 10WatchGuard Firebox — WatchGuard Firebox Out of Bounds Write Vulnerability
CVSS 9.8ASUS Live Update — ASUS Live Update Embedded Malicious Code Vulnerability
CVSS 9.8Fortinet Multiple Products — Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability
CVSS 9.8Gladinet CentreStack and Triofox — Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
CVSS 9.8Oracle Fusion Middleware — Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability
CVSS 9.8Fortinet FortiWeb — Fortinet FortiWeb Path Traversal Vulnerability
CVSS 9.8WatchGuard Firebox — WatchGuard Firebox Out-of-Bounds Write Vulnerability
CVSS 9.8Gladinet Triofox — Gladinet Triofox Improper Access Control Vulnerability
CVSS 9.1CWP Control Web Panel — CWP Control Web Panel OS Command Injection Vulnerability
CVSS 9Adobe Experience Manager (AEM) Forms — Adobe Experience Manager Forms Code Execution Vulnerability
CVSS 10XWiki Platform — XWiki Platform Eval Injection Vulnerability
CVSS 9.8Microsoft Windows — Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
CVSS 9.8LANSCOPE Endpoint Manager — Unauthenticated Remote Code Execution via Spoofed Communication Channel, Exploited by Chinese APT Bronze Butler
CVSS 9.8Kentico Xperience CMS — Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVSS 9.8Kentico Xperience CMS — Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVSS 9.8Oracle E-Business Suite — Oracle E-Business Suite Unspecified Vulnerability
CVSS 9.8Dassault Systèmes DELMIA Apriso — Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
CVSS 9.1Adobe Commerce and Magento — Adobe Commerce and Magento Improper Input Validation Vulnerability
CVSS 9.1Fortra GoAnywhere MFT — Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
CVSS 10Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense — Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability
CVSS 9.9Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 9.8Sudo Sudo — Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
CVSS 9.3Dassault Systèmes DELMIA Apriso — Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
CVSS 9Sitecore Multiple Products — Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
CVSS 9Apple iOS, iPadOS, and macOS — Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
CVSS 10Sangoma FreePBX — Sangoma FreePBX Authentication Bypass Vulnerability
CVSS 9.8Citrix NetScaler — Citrix NetScaler Memory Overflow Vulnerability
CVSS 9.8Trend Micro Apex One — Trend Micro Apex One OS Command Injection Vulnerability
CVSS 9.4Cisco Identity Services Engine — Cisco Identity Services Engine Injection Vulnerability
CVSS 10Cisco Identity Services Engine — Cisco Identity Services Engine Injection Vulnerability
CVSS 10Wing FTP Server Wing FTP Server — Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
CVSS 10Microsoft SharePoint — Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
CVSS 9.8Fortinet FortiWeb — Fortinet FortiWeb SQL Injection Vulnerability
CVSS 9.8SysAid SysAid On-Prem — SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
CVSS 9.3SysAid SysAid On-Prem — SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
CVSS 9.3CrushFTP CrushFTP — CrushFTP Unprotected Alternate Channel Vulnerability
CVSS 9Erlang/OTP — Pre-Authentication Remote Code Execution via SSH Channel Request
CVSS 10Wazuh Wazuh Server — Wazuh Server Deserialization of Untrusted Data Vulnerability
CVSS 9.9Citrix NetScaler ADC and Gateway — Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
CVSS 9.8Commvault Command Center — Commvault Command Center Path Traversal Vulnerability
CVSS 10Samsung MagicINFO 9 Server — Samsung MagicINFO 9 Server Path Traversal Vulnerability
CVSS 9.8Fortinet Multiple Products — Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability
CVSS 9.8Langflow Langflow — Langflow Missing Authentication Vulnerability
CVSS 9.8SAP NetWeaver — SAP NetWeaver Deserialization Vulnerability
CVSS 9.1SAP NetWeaver — SAP NetWeaver Unrestricted File Upload Vulnerability
CVSS 10Qualitia Active! Mail — Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
CVSS 9.8Apple Multiple Products — Apple Multiple Products Memory Corruption Vulnerability
CVSS 9.8Apple Multiple Products — Apple Multiple Products Arbitrary Read and Write Vulnerability
CVSS 9.8CrushFTP CrushFTP — CrushFTP Authentication Bypass Vulnerability
CVSS 9.8Apache Tomcat — Apache Tomcat Path Equivalence Vulnerability
CVSS 9.8Gladinet CentreStack — Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
CVSS 9Ivanti Connect Secure, Policy Secure, and ZTA Gateways — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
CVSS 9Apple Multiple Products — Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability
CVSS 10Edimax IC-7100 IP Camera — Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVSS 9.8VMware ESXi and Workstation — VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVSS 9.3Apple Multiple Products — Apple Multiple Products Use-After-Free Vulnerability
CVSS 10SonicWall SMA1000 Appliances — SonicWall SMA1000 Appliances Deserialization Vulnerability
CVSS 9.8Ivanti Connect Secure, Policy Secure, and ZTA Gateways — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
CVSS 9Windows Host Process for Tasks (taskhostw.exe) — Symbolic Link Abuse Leading to SYSTEM Privilege Escalation
CVSS 7.8D-Link DIR-823X (EoL) — Root RCE via Command Injection in set_prohibiting
CVSS 7.2Kentico Xperience — Authenticated Path Traversal in Staging Sync Server Leading to Remote Code Execution
CVSS 7.2Apple Multiple Products — Apple Multiple Products Buffer Overflow Vulnerability
CVSS 8.8Apple Multiple Products — Apple Multiple Products Improper Locking Vulnerability
CVSS 7.8SolarWinds Web Help Desk — SolarWinds Web Help Desk Security Control Bypass Vulnerability
CVSS 8.1Notepad++ Notepad++ — Notepad++ Download of Code Without Integrity Check Vulnerability
CVSS 7.5Roundcube Webmail — RoundCube Webmail Cross-site Scripting Vulnerability
CVSS 7.2Sangoma FreePBX Endpoint Manager — Post-Auth OS Command Injection via SSH Test Function
CVSS 7.2Synacor Zimbra Collaboration Suite (ZCS) — Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
CVSS 8.8Gogs Gogs — Gogs Path Traversal Vulnerability
CVSS 8.8Versa Concerto — Versa Concerto Improper Authentication Vulnerability
CVSS 7.5Prettier eslint-config-prettier — Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
CVSS 7.5Apple Multiple Products — Apple Multiple Products Use-After-Free WebKit Vulnerability
CVSS 8.8Google Chromium — Google Chromium Out of Bounds Memory Access Vulnerability
CVSS 8.8OSGeo GeoServer — OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
CVSS 8.2RARLAB WinRAR — RARLAB WinRAR Path Traversal Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Use After Free Vulnerability
CVSS 7.8Android Framework — Android Framework Privilege Escalation Vulnerability
CVSS 7.8MongoDB MongoDB and MongoDB Server — MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability
CVSS 7.5Array Networks ArrayOS AG — Array Networks ArrayOS AG OS Command Injection Vulnerability
CVSS 7.2Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 8.8Samsung Mobile Devices — Samsung Mobile Devices Out-of-Bounds Write Vulnerability
CVSS 8.8Gladinet CentreStack and Triofox — Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
CVSS 7.5Fortinet FortiWeb — Fortinet FortiWeb OS Command Injection Vulnerability
CVSS 7.2Microsoft Windows — Microsoft Windows Race Condition Vulnerability
CVSS 7Microsoft Windows — Microsoft Windows SMB Client Improper Access Control Vulnerability
CVSS 8.8Samsung Mobile Devices — Samsung Mobile Devices Out-of-Bounds Write Vulnerability
CVSS 8.8Smartbedded Meteobridge — Smartbedded Meteobridge Command Injection Vulnerability
CVSS 8.8Dassault Systèmes DELMIA Apriso — Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
CVSS 8Broadcom VMware Aria Operations and VMware Tools — Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Untrusted Pointer Dereference Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Improper Access Control Vulnerability
CVSS 7.8Oracle E-Business Suite — Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVSS 7.5Android Runtime — Android Runtime Use-After-Free Vulnerability
CVSS 8.8Cisco IOS and IOS XE — Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability
CVSS 7.7Linux Kernel — Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability
CVSS 7.4TP-Link Multiple Routers — TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
CVSS 7.2N-able N-Central — N-able N-Central Command Injection Vulnerability
CVSS 8.8RARLAB WinRAR — RARLAB WinRAR Path Traversal Vulnerability
CVSS 8.8Git — Pre-Auth RCE via Carriage Return in Submodule Path (Linux/macOS)
CVSS 8N-able N-Central — N-able N-Central Insecure Deserialization Vulnerability
CVSS 7.8Microsoft SharePoint — Microsoft SharePoint Code Injection Vulnerability
CVSS 8.8Google Chromium — Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 8.1Citrix NetScaler ADC and Gateway — Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
CVSS 7.5Microsoft Windows — Microsoft Windows External Control of File Name or Path Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
CVSS 8.8Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
CVSS 8.6Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
CVSS 8.6ConnectWise ScreenConnect — ConnectWise ScreenConnect Improper Authentication Vulnerability
CVSS 8.1Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Use-After-Free Vulnerability
CVSS 7.5FreeType FreeType — FreeType Out-of-Bounds Write Vulnerability
CVSS 8.1Microsoft Windows — Microsoft Windows DWM Core Library Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Scripting Engine Type Confusion Vulnerability
CVSS 7.5Srimax Output Messenger — Srimax Output Messenger Directory Traversal Vulnerability
CVSS 7.2Ivanti EPMM — Remote Code Execution via Spring EL Injection in Feature Usage API, Chained with Auth Bypass for Pre-Auth RCE
CVSS 7.2Commvault Web Server — Commvault Web Server Unspecified Vulnerability
CVSS 8.8Microsoft Windows — Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
CVSS 7.8reviewdog action-setup GitHub Action — reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVSS 8.6tj-actions changed-files GitHub Action — tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
CVSS 8.6Google Chromium Mojo — Google Chromium Mojo Sandbox Escape Vulnerability
CVSS 8.3VMware ESXi — VMware ESXi Arbitrary Write Vulnerability
CVSS 8.2Fortinet FortiOS and FortiProxy — Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
CVSS 8.1Microsoft Windows — Microsoft Windows Fast FAT File System Driver Integer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability
CVSS 7.8VMware ESXi, Workstation, and Fusion — VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability
CVSS 7.1Microsoft Windows — Microsoft Windows Win32k Use-After-Free Vulnerability
CVSS 7Microsoft Windows — Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability
CVSS 7Trimble Cityworks — Trimble Cityworks Deserialization Vulnerability
CVSS 8.8Microsoft Power Pages — Microsoft Power Pages Improper Access Control Vulnerability
CVSS 8.2Craft CMS Craft CMS — Craft CMS Code Injection Vulnerability
CVSS 8Microsoft Windows — Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Storage Link Following Vulnerability
CVSS 7.17-Zip 7-Zip — 7-Zip Mark of the Web Bypass Vulnerability
CVSS 7Microsoft Windows — Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
CVSS 7.8Synacor Zimbra Collaboration Suite (ZCS) — Stored Cross-Site Scripting via CSS @import in Classic UI
CVSS 6.1Apple Multiple Products — Apple Multiple Products Classic Buffer Overflow Vulnerability
CVSS 5.5Wing FTP Server — Information Disclosure via Overlong UID Cookie in loginok.html
CVSS 4.3SonicWall SMA1000 appliance — SonicWall SMA1000 Missing Authorization Vulnerability
CVSS 6.6Android Framework — Android Framework Information Disclosure Vulnerability
CVSS 5.5Zimbra ZCS — Stored XSS via ICS Calendar ontoggle Event, Zero-Day Exploited Against Brazilian Military
CVSS 5.4IGEL IGEL OS — IGEL OS Use of a Key Past its Expiration Date Vulnerability
CVSS 4.6Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense — Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability
CVSS 6.5Libraesva Email Security Gateway — Libraesva Email Security Gateway Command Injection Vulnerability
CVSS 6.1Meta Platforms WhatsApp — Meta Platforms WhatsApp Incorrect Authorization Vulnerability
CVSS 5.4Microsoft SharePoint — Microsoft SharePoint Improper Authentication Vulnerability
CVSS 6.5TeleMessage TM SGNL — TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
CVSS 5.3TeleMessage TM SGNL — TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
CVSS 4Craft CMS Craft CMS — Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
CVSS 5.3Apple Multiple Products — Apple Multiple Products Unspecified Vulnerability
CVSS 4.2Broadcom Brocade Fabric OS — Broadcom Brocade Fabric OS Code Injection Vulnerability
CVSS 6.7Microsoft Windows — Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
CVSS 6.5Advantive VeraCore — Advantive VeraCore SQL Injection Vulnerability
CVSS 5.8Microsoft Windows — Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability
CVSS 5.5Microsoft Windows — Microsoft Windows NTFS Information Disclosure Vulnerability
CVSS 4.6Juniper Junos OS — Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability
CVSS 4.4