The Federal Government Tracks What Attackers Are Using Right Now. Most Business Owners Have Never Seen It.

The Cybersecurity and Infrastructure Security Agency — the federal body responsible for tracking and responding to cyber threats against U.S. infrastructure — maintains a running list of software weaknesses that attackers are actively using to break into organizations. It is called the Known Exploited Vulnerabilities catalog. It is the most operationally useful threat intelligence document most business owners have never read.

Not theoretical weaknesses. Not academic research. The actual techniques being deployed against real businesses, hospitals, law firms, and government agencies — this quarter, right now.

The catalog runs to hundreds of entries and was written for technical practitioners, so most business owners will never open it. But the intelligence inside it is directly relevant to anyone whose business runs on computers — which is to say, everyone.

This piece translates the most consequential findings from CISA’s 2025 catalog into language a CEO or COO can act on: what is being exploited, why it keeps working, who is most exposed, and the questions you should be demanding answers to from whoever manages your technology.

What Is the CISA Known Exploited Vulnerabilities Catalog?

CISA launched the Known Exploited Vulnerabilities catalog in November 2021 to solve a problem the security industry had failed to address for decades: vulnerability disclosures were outpacing organizations’ ability to act on them, and no authoritative signal existed for what demanded urgent attention versus what could wait.

The catalog solves that problem. An entry only makes the list when CISA has confirmed evidence of active exploitation in the wild — meaning an attacker has already used the vulnerability against a real target. Federal agencies are required by binding directive to patch catalog entries on a mandated timeline, typically two to three weeks. Private organizations aren’t legally required to follow it, but treating it as a must-patch list is considered baseline responsible practice by every credible security framework.

As of mid-2025, the CISA Known Exploited Vulnerabilities catalog contains over 1,200 entries. The pace of additions accelerated in 2024 and into 2025 — faster than any prior year. The catalog now spans vulnerabilities in products from Microsoft, Cisco, Ivanti, Fortinet, Palo Alto Networks, Adobe, Apple, and dozens of other vendors whose software runs inside virtually every business in America.

CISA Most Exploited Vulnerabilities 2025: What’s Being Targeted

Network Edge Devices Are Ground Zero

The single dominant pattern in 2025 catalog additions: attackers have shifted focus from endpoint devices — laptops, desktops — to the network perimeter. The firewalls, remote access gateways, and VPN appliances that sit at the edge of your environment and control who connects to what.

Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access — widely deployed remote access platforms across mid-market and enterprise environments — accumulated a striking number of catalog entries in late 2024 continuing into 2025. CVE-2025-0282 and CVE-2025-0283, both critical vulnerabilities in Ivanti Connect Secure, were added to the catalog in January 2025 after CISA confirmed active exploitation. CVE-2025-0282 was exploited as a zero-day — attackers used it before any patch existed.

Fortinet’s FortiGate firewall platform, one of the most widely deployed perimeter appliances among small and mid-sized businesses, saw CVE-2024-55591 — an authentication bypass with a severity score of 9.8 out of 10 — added to the catalog in January 2025. Threat intelligence firms reported evidence of a mass-exploitation campaign that began months before the vulnerability was publicly disclosed, suggesting the attacker group had knowledge of the flaw before Fortinet did.

Palo Alto Networks’ firewall operating system was hit by CVE-2025-0108 — another authentication bypass — added to the catalog in February 2025. Within days of the patch release, multiple threat intelligence firms reported widespread active exploitation attempts across exposed devices.

The pattern is not coincidental. Network edge devices are high-value targets for two reasons: they are internet-facing by design, which means they are reachable without any user interaction required. And once compromised, they give an attacker a privileged position inside your network before your security tools can detect anything. A compromised remote access gateway effectively means an attacker can move through your environment with credentials that look entirely legitimate.

Microsoft Windows: The Baseline Continues to Fail

The 2025 catalog additions include a steady stream of Microsoft Windows vulnerabilities — many in components that organizations have been slow to patch because the systems running them are considered too critical to take offline.

CVE-2025-21418, a privilege escalation vulnerability in the Windows Ancillary Function Driver for WinSock, was added in February 2025 after Microsoft confirmed active exploitation. Privilege escalation flaws are typically used as the second step in an attack chain: an attacker who gained initial access through a phishing email or stolen credential uses it to elevate their permissions to administrator level, at which point they control the machine entirely.

CVE-2025-21391, a Windows Storage vulnerability enabling the same type of escalation, was confirmed in the same February 2025 update cycle. Two actively exploited Windows flaws, both confirmed in real attacks, in a single monthly update window.

Older Vulnerabilities Still Being Exploited in 2025

The most troubling signal in the catalog is not the new entries — it is the age of some entries still seeing active exploitation years after patches were released.

CVE-2017-0144, the vulnerability behind the WannaCry ransomware campaign, first cataloged during the 2021 launch, continues to be exploited against environments that have never applied the patch Microsoft released in March 2017. More than eight years after a patch existed. In 2025.

This is not an anomaly. CISA joint advisory data and FBI Internet Crime Complaint Center reporting consistently show that a significant percentage of successful intrusions exploit vulnerabilities for which patches have been available for more than a year. The 2024 FBI Internet Crime report, released in spring 2025, recorded over $16.6 billion in cybercrime losses reported by U.S. victims — a figure the FBI acknowledges understates reality due to underreporting — with a substantial portion attributable to ransomware and business email compromise attacks that exploited known, patchable vulnerabilities.

Who Is Most Exposed

The honest answer: any organization without a disciplined, systematic approach to vulnerability management. Industry vertical matters less than operational maturity.

That said, certain characteristics create meaningfully higher exposure:

• Remote workforce reliance. If your employees connect to company resources from home or while traveling, you almost certainly have a remote access gateway sitting at your perimeter — exactly the category of device accumulating the most critical catalog entries in 2025. The question is not whether you have one. The question is whether it was patched within days of a catalog addition, or whether it has been sitting exposed for weeks or months.
• Deferred patching cycles. Many organizations patch monthly or quarterly because patching disrupts operations. Attackers move the same day catalog entries are published — sometimes before, in the case of zero-days. An organization patching monthly is running with a permanent window of exposure that attackers know about and actively target.
• Fragmented technology environments. Organizations that have accumulated technology over the years without systematic oversight — a firewall from one vendor, remote access from another, collaboration tools from a third, none of them actively monitored — are especially exposed because no one owns the complete picture of what is running and what needs attention.
• No external-facing visibility. Many organizations have no mechanism to identify which of their internet-facing systems are running vulnerable software versions. Without that visibility, you cannot prioritize or respond to catalog additions — you don’t know if you’re affected. The NIST National Vulnerability Database provides detailed technical records for every vulnerability referenced in the catalog and is a useful cross-reference for understanding severity scores and affected software versions.

Why Patching Alone Is Not Sufficient

Patching is necessary. It is not sufficient. That distinction matters when you are setting expectations with whoever manages your technology.

Three realities complicate a patch-everything strategy:

Zero-days exist. Multiple 2025 catalog additions — including the Ivanti and Fortinet vulnerabilities above — were exploited before patches existed. No patching speed protects you from a zero-day. What protects you is detection: the ability to identify anomalous behavior in your environment even when you don’t yet know what the attacker used to get in.

Patch deployment takes time. Even in well-run organizations, testing a patch for compatibility, staging it, and deploying it across all affected systems takes days to weeks. The window between a catalog addition and a completed deployment is a period of real exposure. Network segmentation, access controls, and behavioral monitoring fill that gap.

Not everything can be patched immediately. Legacy applications, custom-built software, and certain operational environments can’t always accept patches without breaking critical business functions. In those cases, compensating controls — network isolation, enhanced monitoring, additional authentication layers — are the only available defense until a patching path exists.

This is why the industry has moved from talking about “patch management” to “vulnerability management” — a broader discipline that treats asset inventory, continuous scanning, risk-based prioritization, detection capability, and incident response planning as interconnected parts of a single program, not separate tasks.

What This Means in Practice for Business Technology

The CISA Known Exploited Vulnerabilities catalog is not an abstract government document. It is a live feed of the attack techniques that will be used against businesses this week, next week, and next month. Organizations that treat it as a prioritized action list are operating with materially better security posture than those that don’t.

At Xact IT Solutions, we have maintained a zero client breach record across more than two decades of managing technology environments for businesses. That record is not accidental. It is the result of treating vulnerability management as a continuous operational discipline — not a periodic checkbox. Our environments are built to minimize exposure at the perimeter and to surface anomalous activity at the earliest possible stage, because the question is not whether attackers will attempt to exploit your environment. They will. The question is whether they succeed.

The businesses that come to us after a difficult experience elsewhere share a common history: their previous IT firm treated patching as a background task, had no visibility into the external attack surface, and had no detection capability that would have surfaced an intrusion before it became a breach or a ransomware event.

Five Questions to Ask Your IT Firm Today

If you manage a business that runs on technology — which is all of them — these are the questions you should be able to get straight answers to from whoever oversees your environment:

1. Do you track CISA’s Known Exploited Vulnerabilities catalog, and what is your patching timeline for critical entries? A credible answer names a specific timeframe — typically 24 to 72 hours for critical entries affecting internet-facing systems. “We patch monthly” is not a credible answer for this category of vulnerability.
2. Do you have continuous visibility into our external attack surface? Your IT firm should be able to tell you, at any given moment, what systems you are exposing to the internet and what software versions they are running. If they can’t answer immediately, you have a blind spot.
3. What would you know if an attacker used a zero-day against us? This question gets at detection capability — the ability to identify an intrusion even when the method wasn’t yet known. The answer should involve behavioral monitoring and anomaly detection. “Our antivirus would catch it” is not an answer.
4. When did you last audit our remote access infrastructure? Given the concentration of catalog entries targeting remote access gateways and perimeter appliances in 2025, this specific category deserves explicit, recurring attention — not a one-time review.
5. How would we know if we had already been compromised? Many intrusions persist undetected for weeks or months before an attacker activates ransomware or moves data. A credible IT firm has a specific answer to this question. “Our antivirus would catch it” is, again, not that answer.

CISA Most Exploited Vulnerabilities 2025: What It Comes Down To

The CISA Known Exploited Vulnerabilities catalog is among the most useful threat intelligence available to any organization — and it is public, free, and updated continuously. The businesses that avoid serious security incidents over the next 12 to 24 months will be the ones whose technology environments treat it as a live operational input, not an occasional reference.

The 2025 additions tell a clear story: attackers are targeting perimeter devices with increasing sophistication, exploiting zero-days before patches exist, and continuing to successfully exploit vulnerabilities that have had patches available for years. The defense posture that works against this combines patching speed, continuous external visibility, behavioral detection capability, and a team that treats federal threat intelligence as a minimum floor — not a ceiling.

If you are not certain your environment is being managed to that standard, the most productive next step is an honest, structured look at where you actually stand.

Reserve Your Business Technology Growth & Risk Assessment to get a clear picture of your current exposure — and what it would take to close the gaps.