CISA's 2025 KEV Catalog Expansion: A Wake-Up Call for Cybersecurity
Executive Summary
In 2025, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog by 245 entries, marking a 20% increase and bringing the total to 1,484 vulnerabilities. Notably, 24 of these newly added vulnerabilities were actively exploited in ransomware attacks, targeting products from vendors such as Microsoft, Apple, and Oracle. This surge underscores the escalating threat landscape where attackers rapidly exploit both new and legacy vulnerabilities.
The inclusion of older vulnerabilities, some dating back to 2007, highlights the persistent risk posed by unpatched systems. The rapid weaponization of these vulnerabilities by threat actors emphasizes the critical need for organizations to prioritize timely patching and robust vulnerability management practices to mitigate potential breaches and operational disruptions.
Why This Matters Now
The significant increase in exploited vulnerabilities, particularly those leveraged in ransomware attacks, underscores the urgent need for organizations to enhance their cybersecurity posture. The rapid exploitation of both new and legacy vulnerabilities highlights the importance of timely patching and proactive vulnerability management to prevent potential breaches and operational disruptions.
Attack Path Analysis
The attackers exploited a vulnerability in a network edge device to gain initial access. They then escalated privileges by exploiting misconfigured IAM roles. Utilizing valid credentials, they moved laterally across the cloud environment. The attackers established command and control through encrypted channels. They exfiltrated sensitive data to external servers. Finally, they deployed ransomware to encrypt critical data, demanding a ransom for decryption.
Kill Chain Progression
Initial Compromise
Description
The attackers exploited a vulnerability in a network edge device to gain initial access.
Related CVEs
CVE-2025-5777
CVSS 7.5An information disclosure vulnerability in Citrix NetScaler allows remote attackers to access sensitive data without authentication.
Affected Products:
Citrix NetScaler – < 13.0-85.19
Exploit Status:
exploited in the wildCVE-2025-61882
CVSS 9.8A server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite allows remote attackers to send crafted requests to internal services.
Affected Products:
Oracle E-Business Suite – 12.2.9, 12.2.10
Exploit Status:
exploited in the wildCVE-2025-61884
CVSS 7.5An authentication bypass vulnerability in Oracle E-Business Suite allows remote attackers to gain unauthorized access to the application.
Affected Products:
Oracle E-Business Suite – 12.2.9, 12.2.10
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation of Remote Services
Data Encrypted for Impact
Impair Defenses
Obfuscated Files or Information
Inhibit System Recovery
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical ransomware exposure through network edge devices and encrypted traffic vulnerabilities, requiring immediate zero trust segmentation and egress security implementation.
Financial Services
High-value target for ransomware operators exploiting perimeter devices, necessitating enhanced threat detection, east-west traffic security, and strict compliance controls.
Health Care / Life Sciences
Severe patient data exfiltration risks from KEV catalog vulnerabilities, demanding comprehensive multicloud visibility and encrypted traffic protection for HIPAA compliance.
Government Administration
National security implications from CISA-identified ransomware CVEs targeting government perimeter infrastructure, requiring immediate cloud firewall and anomaly detection deployment.
Sources
- CISA Makes Unpublicized Ransomware Updates to KEV Cataloghttps://www.darkreading.com/threat-intelligence/cisa-hidden-ransomware-updates-kev-catalogVerified
- CISA KEV Catalog Expanded 20% in 2025, Topping 1,480 Entrieshttps://www.securityweek.com/cisa-kev-catalog-expanded-20-in-2025-topping-1480-entries/Verified
- CISA Adds Four Critical Vulnerabilities to KEV Catalog Following Active Exploitationhttps://cyberpress.org/cisa-adds-four-critical-vulnerabilities-to-kev-catalog-following-active-exploitation/Verified
- CISA Adds 3 Flaws to KEV Catalog, Impacting AMI MegaRAC, D-Link, Fortinethttps://thehackernews.com/2025/06/cisa-adds-3-flaws-to-kev-catalog.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely reduce the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in network edge devices could likely be constrained, reducing the risk of initial access through such vectors.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges through misconfigured IAM roles could likely be constrained, reducing the risk of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally using valid credentials could likely be constrained, reducing the risk of widespread access within the cloud environment.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control through encrypted channels could likely be constrained, reducing the risk of persistent external communication.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data to external servers could likely be constrained, reducing the risk of data loss.
The attacker's ability to deploy ransomware and encrypt critical data could likely be constrained, reducing the risk of significant data loss and operational disruption.
Impact at a Glance
Affected Business Functions
- Network Security
- Enterprise Resource Planning (ERP)
- Data Management
Estimated downtime: 14 days
Estimated loss: $5,000,000
Sensitive corporate data, including financial records and customer information, potentially exposed due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the cloud environment.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into cloud traffic and detect anomalies.
- • Apply East-West Traffic Security to secure internal communications and prevent unauthorized access between workloads.
