CISA Known Exploited Vulnerabilities (KEV)

CVE-2025-62221 - Microsoft Windows Use After Free Vulnerability -

Action Due Dec 30, 2025 Target Vendor : Microsoft

Description : Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62221 ; https://nvd.nist.gov/vuln/detail/CVE-2025-62221

CVE-2025-66644 - Array Networks ArrayOS AG OS Command Injection Vulnerability -

Action Due Dec 29, 2025 Target Vendor : Array Networks

Description : Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html ; https://www.jpcert.or.jp/at/2025/at250024.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-66644

CVE-2022-37055 - D-Link Routers Buffer Overflow Vulnerability -

Action Due Dec 29, 2025 Target Vendor : D-Link

Description : D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308 ; https://nvd.nist.gov/vuln/detail/CVE-2022-37055

CVE-2025-55182 - Meta React Server Components Remote Code Execution Vulnerability -

Action Due Dec 12, 2025 Target Vendor : Meta

Description : Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Known Detected Feb 26, 2026

Notes : Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182

CVE-2021-26828 - OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability -

Action Due Dec 24, 2025 Target Vendor : OpenPLC

Description : OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/SCADA-LTS/Scada-LTS/pull/2174 ; https://nvd.nist.gov/vuln/detail/CVE-2021-26828

CVE-2025-48633 - Android Framework Information Disclosure Vulnerability -

Action Due Dec 23, 2025 Target Vendor : Android

Description : Android Framework contains an unspecified vulnerability that allows for information disclosure.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://source.android.com/docs/security/bulletin/2025-12-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48633

CVE-2025-48572 - Android Framework Privilege Escalation Vulnerability -

Action Due Dec 23, 2025 Target Vendor : Android

Description : Android Framework contains an unspecified vulnerability that allows for privilege escalation.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://source.android.com/docs/security/bulletin/2025-12-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48572

CVE-2021-26829 - OpenPLC ScadaBR Cross-site Scripting Vulnerability -

Action Due Dec 19, 2025 Target Vendor : OpenPLC

Description : OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/SCADA-LTS/Scada-LTS/pull/3211 ; https://nvd.nist.gov/vuln/detail/CVE-2021-26829

CVE-2025-61757 - Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability -

Action Due Dec 12, 2025 Target Vendor : Oracle

Description : Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://www.oracle.com/security-alerts/cpuoct2025.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-61757

CVE-2025-13223 - Google Chromium V8 Type Confusion Vulnerability -

Action Due Dec 10, 2025 Target Vendor : Google

Description : Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-13223

CVE-2025-58034 - Fortinet FortiWeb OS Command Injection Vulnerability -

Action Due Nov 25, 2025 Target Vendor : Fortinet

Description : Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://fortiguard.fortinet.com/psirt/FG-IR-25-513 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58034

CVE-2025-64446 - Fortinet FortiWeb Path Traversal Vulnerability -

Action Due Nov 21, 2025 Target Vendor : Fortinet

Description : Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://www.fortiguard.com/psirt/FG-IR-25-910 ; https://nvd.nist.gov/vuln/detail/CVE-2025-64446

CVE-2025-9242 - WatchGuard Firebox Out-of-Bounds Write Vulnerability -

Action Due Dec 03, 2025 Target Vendor : WatchGuard

Description : WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ; https://nvd.nist.gov/vuln/detail/CVE-2025-9242

CVE-2025-62215 - Microsoft Windows Race Condition Vulnerability -

Action Due Dec 03, 2025 Target Vendor : Microsoft

Description : Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62215 ; https://nvd.nist.gov/vuln/detail/CVE-2025-62215

CVE-2025-12480 - Gladinet Triofox Improper Access Control Vulnerability -

Action Due Dec 03, 2025 Target Vendor : Gladinet

Description : Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://access.triofox.com/releases_history ; https://nvd.nist.gov/vuln/detail/CVE-2025-12480

CVE-2025-21042 - Samsung Mobile Devices Out-of-Bounds Write Vulnerability -

Action Due Dec 01, 2025 Target Vendor : Samsung

Description : Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21042

CVE-2025-11371 - Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability -

Action Due Nov 25, 2025 Target Vendor : Gladinet

Description : Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://www.centrestack.com/p/gce_latest_release.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-11371

CVE-2025-48703 - CWP Control Web Panel OS Command Injection Vulnerability -

Action Due Nov 25, 2025 Target Vendor : CWP

Description : CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://control-webpanel.com/changelog ; https://nvd.nist.gov/vuln/detail/CVE-2025-48703

CVE-2025-24893 - XWiki Platform Eval Injection Vulnerability -

Action Due Nov 20, 2025 Target Vendor : XWiki

Description : XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j ; https://nvd.nist.gov/vuln/detail/CVE-2025-24893

CVE-2025-41244 - Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability -

Action Due Nov 20, 2025 Target Vendor : Broadcom

Description : Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

Action : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known To Be Used in Ransomware Campaigns? : Unknown

Notes : https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149 ; https://nvd.nist.gov/vuln/detail/CVE-2025-41244