Ransomware groups claimed more than 2,000 attacks in the last three months of 2025 – and they’re starting 2026 at the same elevated pace. 

Cyble recorded 2,018 claimed attacks by ransomware groups in the fourth quarter of 2025, an average of just under 673 a month. The threat groups maintained that pace in January 2026, claiming 679 ransomware victims. 

By comparison, in the first nine months of 2025, ransomware groups averaged 512 claimed victims a month, so the trend in the last four months has been more than 30% above the previous nine-month period. The chart below shows ransomware attacks by month since 2021. 

Qilin Leads All Ransomware Groups as CL0P Returns 

Qilin once again led all ransomware groups, with 115 claimed attacks in January. A resurgent CL0P has claimed scores of victims in the last two weeks, yet as of this writing had provided no technical details on the group’s latest campaign. Akira once again remained among the leaders with 76 claimed victims, while newcomers Sinobi and The Gentlemen rounded out the top five (chart below). 

The U.S. once again was the most attacked country by a significant margin, accounting for just under half of all ransomware attacks in January (chart below). The UK and Australia experienced higher-than-usual attack volumes; CL0P’s recent campaign was a factor in both of those increases. 

Construction, professional services, and manufacturing continue to lead the sectors hit by ransomware attacks, likely due to opportunistic threat actors targeting vulnerable environments (chart below). The IT industry also remains a frequent target of ransomware groups, likely due to the rich target the sector represents and the potential to pivot into downstream customer environments.

Recent Ransomware Attacks 

Here are some of the most significant ransomware attacks that occurred in January, several of which had supply chain implications. Additional details will be provided in Cyble’s forthcoming January 2026 Threat Landscape Report, which will be published in the Research Reports section. 

As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy. Among the claimed victims in the latest campaign have been 11 Australia-based companies spanning a broad range of sectors such as IT and IT services, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare.  

Other claimed victims have included a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production. 

The Everest ransomware group claimed responsibility for breaching a major U.S. manufacturer of telecommunications networking equipment and claimed to have exfiltrated 11 GB of data. Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.  

Additional directories reportedly contain .brd files, which are printed circuit board (PCB) layout files detailing information critical to hardware manufacturing and replication. The group also shared multiple samples showing internal directories, engineering blueprints, and 3D design-related materials. 

The Qilin ransomware group claimed responsibility for breaching a U.S.-based airport authority responsible for managing commercial aviation operations and related services. The group shared 16 data samples as proof-of-compromise. The materials suggest access to financial documents, telehealth-related reports, internal email correspondence, scanned identification documents, non-disclosure agreements (NDAs), and other confidential agreements, suggesting exposure of sensitive administrative and operational information. 

The Sinobi ransomware group claimed a breach of an India-based IT services company providing digital transformation, cloud, ERP, and managed services. The threat group alleges the theft of more than 150 GB of data, including contracts, financial records, and customer data. Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes. 

The Rhysida ransomware group claimed responsibility for breaching a U.S. company providing life sciences and biotechnology instrumentation and solutions. According to the threat group, the allegedly stolen data has already been sold, though no information was provided regarding the buyer or the price at which the dataset was advertised.  

The victim was listed as directly sold rather than placed under a traditional negotiation or countdown model. Despite this, samples remain accessible and indicate exposure of email correspondence, engineering blueprints, project documentation, and non-disclosure agreements (NDAs), suggesting compromise of both technical and corporate information. 

The RansomHouse extortion group claimed responsibility for breaching a China-based electronics manufacturing company providing precision components and assembly services for global technology and automotive manufacturers. As evidence, RansomHouse published documentation indicating access to extensive proprietary engineering and production-related data. The shared materials reference confidential 3D CAD models (STEP/PRT), 2D CAD drawings (DWG/DXF), engineering documentation, printed circuit board (PCB) design data, Gerber files, electrical and layout architecture data, and manufacturing drawings. Notably, the group claims the compromised archives contain data associated with multiple major technology and automotive companies. 

INC Ransom claimed responsibility for breaching a Hong Kong–based manufacturer supplying precision components to the global electronics and automotive industries. According to the group, approximately 200 GB of data was allegedly exfiltrated. The claimed dataset reportedly includes client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies. 

The Qilin ransomware group claimed responsibility for breaching a Taiwan-based company operating in the semiconductor and electronics manufacturing sector. According to the group, approximately 275 GB of data was allegedly exfiltrated. Based on the file tree information shared by Qilin, the dataset reportedly consists of 19,822 directories and 177,551 files, suggesting broad access to internal systems. 

The Nitrogen ransomware group leaked more than 71 GB of data allegedly stolen from a U.S. company providing engineered components and systems for the automotive industry. According to the threat group, the exposed data includes sensitive corporate and technical information such as CAD drawings, accounts payable and receivable records, invoices, and balance sheet documentation. To substantiate its claims, Nitrogen published selected project blueprints and shared a file tree indicating the alleged theft of approximately 116,180 files, suggesting broad access to internal engineering and financial systems. 

The Anubis ransomware group claimed responsibility for breaching an Italian government authority responsible for the management, regulation, and development of regional maritime port operations. According to the group, the compromised data includes incident and safety reports, logistics and operational data, port infrastructure layouts, audit results, internal reports, and business correspondence. 

New Ransomware Groups 

Among new ransomware groups that have emerged recently, Green Blood has launched an onion-based data leak site. While the group has not yet publicly named specific victims, it claims that affected organizations are located in India, Senegal, and Colombia. The group provides TOX ID and email-based communication channels for victim contact. Notably, malware samples associated with Green Blood have been observed in the wild. The ransomware encrypts files using the “.tgbg” extension and drops a ransom note titled “!!!READ_ME_TO_RECOVER_FILES!!!.txt” 

A new ransomware-as-a-service (RaaS) operation named DataKeeper has surfaced, promoting an updated affiliate model referred to as CrystalPartnership RaaS. The group claims this approach improves trust by splitting ransom payments directly between the operator’s and affiliate’s Bitcoin addresses at the time of payment, removing reliance on centralized payout handling. DataKeeper is advertised as a Windows-focused ransomware toolkit. The operation claims to use a hybrid encryption scheme combining symmetric file encryption with RSA-4096 key protection, unique per-build identifiers, and TOR-based payment links. Encryption and decryption workflows are tied to a victim-specific ID, with decryption requiring delivery of a key file following payment.  

The group emphasizes operational features such as in-memory execution, multithreaded encryption, optional shadow copy removal, network share targeting, and evading security controls. 

The threat actor (TA) MonoLock announced a new RaaS operation on the RAMP cybercrime forum (the forum has since been seized by the FBI). MonoLock’s core design is based on Beacon Object Files (BoF), enabling full in-memory execution, reduced payload exposure, and centralized control from a single post-exploitation command-and-control (C2) instance without dropping files.  

While BoF usage is common in Windows environments, MonoLock introduced a custom Linux ELF-based BoF loader, derived from the TrustedSec ELFLoader, adding chained execution, command packing, encryption, and in-memory deployment. The group promotes a “Zero Panel” extortion model, explicitly rejecting leak sites and Tor-based negotiation panels.  

MonoLock claims that avoiding public extortion infrastructure reduces law enforcement exposure and leverages silence as negotiation pressure, minimizing reputational damage for victims. Affiliates are recruited under a 20% revenue share with a USD $500 registration fee, alongside a limited referral program running from January 11 to March 31. 

Conclusion 

The persistently high level of ransomware attacks – and the emergence of new ransomware groups eager to compete on features and price – highlight the urgent need for security teams to adopt a defense-in-depth cyber strategy. Cybersecurity best practices that can help build resilience against attacks include: 

• Prioritizing vulnerabilities based on risk. 

• Protecting web-facing assets. 

• Segmenting networks and critical assets. 

• Hardening endpoints and infrastructure. 

• Strong access controls, allowing no more access than is required, with frequent verification. 

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks. 

• Encryption of data at rest and in transit. 

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. 

• Honeypots that lure attackers to fake assets for early breach detection. 

• Proper configuration of APIs and cloud service connections. 

• Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools. 

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

Additionally, Cyble’s third-party risk intelligence can help organizations carefully vet partners and suppliers, providing an early warning of potential risks. 

The post Ransomware Attacks Have Surged 30% Since Q4 2025 appeared first on Cyble.

Hacktivists moved well beyond their traditional DDoS attacks and website defacements in 2025, increasingly targeting industrial control systems (ICS), ransomware, breaches, and data leaks, as their sophistication and alignment with nation-state interests grew. 

That was one of the conclusions in Cyble’s exhaustive new 2025 Threat Landscape report, from which this blog was adapted. 

Looking ahead to 2026 and beyond, Cyble expects critical infrastructure attacks by hacktivists to continue to grow, increasing use of custom tools by hacktivists, and deepening alignment between nation-state interests and hacktivists. 

ICS Attacks by Hacktivists Surge 

Between December 2024 and December 2025, several hacktivist groups increased their focus on ICS and operational technology (OT) attacks. Z-Pentest was the most active actor, conducting repeated intrusions against a wide range of industrial technologies. Dark Engine (Infrastructure Destruction Squad) and Sector 16 persistently targeted ICS, primarily exposing Human Machine Interfaces (HMI). 

A secondary tier of groups, including Golden Falcon Team, NoName057 (16), TwoNet, RipperSec, and Inteid, also claimed to have conducted recurrent ICS-disrupting attacks, albeit on a smaller scale. 

HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the most frequently targeted systems, followed by a limited number of Virtual Network Computing (VNC) compromises, which posed the greatest operational risks to several industries. 

Building Management System (BMS) platforms and Internet of Things (IoT) or edge-layer controllers were also targeted in increasing numbers, reflecting the broader exploitation of weakly secured IoT interfaces. 

Europe remained the primary region affected by pro-Russian hacktivist groups, with sustained targeting of Spain, Italy, the Czech Republic, France, Poland, and Ukraine contributing to the highest concentration of ICS-related intrusions. 

The Intersection of State Interests and Hacktivism 

State-aligned hacktivist activity remained persistent throughout 2025. Operation Eastwood (14–17 July) disrupted NoName057(16)’s DDoS infrastructure, prompting swift retaliatory attacks from the hacktivist group. The group rapidly rebuilt capacity and resumed operations against Ukraine, the EU, and NATO, underscoring the resilience of state-directed ecosystems. 

U.S. indictments and sanctions further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts. The Justice Department detailed GRU-backed financing and tasking of the Cyber Army of Russia Reborn (CARR), as well as the state-sanctioned development of NoName057(16)’s DDoSia platform. 

Z-Pentest, identified as part of the same CARR ecosystem and attributed to GRU, continued targeting EU and NATO critical infrastructure, reinforcing the convergence of activist personas, state mandates, and operational doctrine. 

Pro-Ukrainian hacktivist groups, though not formally state-directed, conducted sustained, destructive operations against networks linked to the Russian military. The BO Team and the Ukrainian Cyber Alliance conducted several data destruction and wiper attacks, encrypting key Russian businesses and state machinery. Ukrainian actors repeatedly stated that exfiltrated datasets were passed to national intelligence services. 

Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow claimed a year-long Tier-0 compromise of Aeroflot’s IT environment, allegedly exfiltrating more than 20TB of data, sabotaging thousands of servers, and disrupting core airline systems, a breach that Russia’s General Prosecutor confirmed caused significant operational outages and flight cancellations. 

Research into BQT.Lock (BaqiyatLock) suggests a plausible ideological alignment with Hezbollah, as evidenced by narrative framing and targeting posture. However, no verifiable technical evidence has confirmed a direct organizational link. 

Cyb3r Av3ngers, associated with the Islamic Revolutionary Guard Corps (IRGC), struck critical infrastructure assets, including electrical networks and water utilities in Israel, the United States, and Ireland. After being banned on Telegram, the group resurfaced under the alias Mr. Soul Team. 

Tooling and capability development by hacktivist groups also grew significantly in 2025. Observed activities have included: 

• Notable growth in custom tool creation (e.g., BQT Locker and associated utilities), including the adoption of ransomware as a hacktivist mechanism. 

• Actors are increasingly using AI-generated text and imagery for propaganda and spreading misinformation and disinformation. 

• Tool promotion and marketing is becoming an emerging driver fueling hacktivism. 

 Hacktivist Sightings Surged 51% in 2025 

In 2025, hacktivism evolved into a globally coordinated threat, closely tracking geopolitical flashpoints. Armed conflicts, elections, trade disputes, and diplomatic crises fueled intensified campaigns against state institutions and critical infrastructure, with hacktivist groups weaponizing cyber-insurgency to advance their propaganda agendas. 

Pro-Ukrainian, pro-Palestinian, pro-Iranian, and other nationalist groups launched ideologically driven campaigns tied to the Russia-Ukraine War, the Israel-Hamas conflict, Iran-Israel tensions, South Asian tensions, and the Thailand-Cambodia border crisis. Domestic political unrest in the Philippines and Nepal triggered sustained attacks on government institutions. 

Cyble recorded a 51% increase in hacktivist sightings in 2025, from 700,000 in 2024 to 1.06 million in 2025, with the bulk of activity focused on Asia and Europe (chart below). 

Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape. 

Alongside these dominant ecosystems, Cyble observed a marked increase in operations by Kurdish hacktivist groups and emerging Cambodian clusters, both of which conducted campaigns closely aligned with regional strategic interests. 

Below are some of the major hacktivist groups of 2025: 

India, Ukraine, and Israel were the countries most impacted by hacktivist activity in 2025 (country breakdown below). 

Among global regions targeted, Europe and NATO faced a sustained pro-Russian campaign marked by coordinated DDoS attacks, data leaks, and escalating ICS intrusions against NATO and EU member states. Government & LEA, Energy & Utilities, Manufacturing, and Transportation were consistent targets. 

In the Middle East, Israel remains the principal target amid the Gaza conflict-related escalation, Iran-Israel confrontation, and Yemen-Saudi hostilities. Saudi Arabia, UAE, Egypt, Jordan, Iraq, Syria, and Yemen faced sustained DDoS attacks, defacements, data leaks, and illicit access to exposed ICS assets from ideologically aligned coalitions operating across the region. 

In South Asia, India-Pakistan and India-Bangladesh tensions fueled high-volume, ideologically framed offensives, peaking around political flashpoints and militant incidents. Activity concentrated on Government & LEA, BFSI, Telecommunication, and Education. 

In Southeast Asia, border tensions and domestic unrest shaped a fragmented but active theatre: Thailand-Cambodia conflicts triggered reciprocal DDoS and defacements; Indonesia & Malaysia incidents stemmed from political and social disputes; the Philippines saw attacks linked to internal instability; and Taiwan emerged as a recurring target for pro-Russian actors.  

 Below are some of the major hacktivist campaigns of 2025: 

Most Impacted Industries and Sectors 

2025 witnessed a marked expansion of hacktivist focus across multiple industries. Government & LEA, Energy & Utilities, Education, IT & ITES, Transportation & Logistics, and Manufacturing experienced the most pronounced growth in targeting, driving the year’s overall increase in operational activity. 

The dataset also reveals a broadened attack surface, with several new or significantly expanded categories, including Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate. 

Government & LEA was the most impacted sector by a wide margin, followed by Energy & Utilities (chart below). 

The Evolution of Hacktivism 

Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism. 

In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors. 

Hacktivists and state actors will increasingly employ financially motivated tactics and appearances. State actors in Iran, Russia, and North Korea will increasingly adopt RaaS platforms to fund operations and maintain plausible deniability. Critical infrastructure attacks in Taiwan, the Baltic states, and South Korea will appear financially motivated while serving geopolitical objectives, complicating attribution and response. 

Critical assets should be isolated from the Internet wherever possible, and operational technology (OT) and IT networks should be segmented and protected with Zero Trust access controls. Vulnerability management, along with network and endpoint monitoring and hardening, is another critical cybersecurity best practice. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today. 

The post Critical Infrastructure Attacks Became Routine for Hacktivists in 2025 appeared first on Cyble.

Overview 

Ransomware and supply chain attacks soared in 2025, and persistently elevated attack levels suggest that the global threat landscape will remain perilous heading into 2026. 

Cyble recorded 6,604 ransomware attacks in 2025, up 52% from the 4,346 attacks claimed by ransomware groups in 2024. The year ended with a near-record 731 ransomware attacks in December, second only to February 2025’s record totals (chart below). 

Supply chain attacks nearly doubled in 2025, as Cyble dark web researchers recorded 297 supply chain attacks claimed by threat groups in 2025, up 93% from 154 such events in 2024 (chart below). As ransomware groups are consistently behind more than half of supply chain attacks, the two attack types have become increasingly linked. 

While supply chain attacks have declined in the two months since October’s record, they remain above even the elevated trend that began in April 2025. 

We’ll take a deeper look at ransomware and supply chain attack data, including targeted sectors and regions, attack trends, and leading threat actors. Some of the data and insights come from Cyble’s new Annual Threat Landscape Report covering cybercrime, ransomware, vulnerabilities, and other 2025-2026 cyber threat trends. 

Qilin Dominated After RansomHub Declined 

Qilin emerged as the leading ransomware group in April after RansomHub went offline amid possible sabotage by rival Dragonforce. Qilin has remained on top in every month but one since, and was once again the top ransomware group in December with 190 claimed victims (December chart below). 

December was also noteworthy for the long-awaited resurgence of Lockbit and the continued emergence of Sinobi. 

For full-year 2025, Qilin dominated, claiming 17% of all ransomware victims (full-year chart below). Of the top five ransomware groups in 2025, only Akira and Play also made the top five in 2024, as RansomHub, Lockbit and Hunters all fell from the top five. Lockbit was hampered by repeated law enforcement actions, while Hunters announced it was shutting down in mid-2025. 

Cyble documented 57 new ransomware groups and 27 new extortion groups in 2025, including emerging leaders like Sinobi and The Gentlemen. Over 350 new ransomware strains were discovered in 2025, largely based on the MedusaLocker, Chaos, and Makop ransomware families. 

Among newly emerged ransomware groups, Cyble observed heightened attacks on critical infrastructure industries (CII), especially in Government & LEA and Energy & Utilities, by groups such as Devman, Sinobi, Warlock, and Gunra. Several newly emerged groups targeted the software supply chain, among them RALord/Nova, Warlock, Sinobi, The Gentlemen, and BlackNevas, with a particular focus on the IT & ITES, Technology, and Transportation & Logistics sectors. 

Cl0p’s Oracle E-Business Suite vulnerability exploitation campaign led to a supply-chain impact on more than 118 entities globally, including those in the IT & ITES sector. Among these, six entities from the critical infrastructure industries (CII) were observed to have fallen victim to this exploitation campaign. The Fog ransomware group also leaked multiple GitLab source codes from several IT companies. 

The U.S. remains by far the most frequent target of ransomware groups, accounting for 55% of ransomware attacks in 2025 (chart below). Canada, Germany, the UK, Italy, and France were also consistent targets for ransomware groups. 

Construction, professional services, and manufacturing were consistently the sectors most targeted by ransomware groups, with healthcare and IT rounding out the top five (chart below). 

Supply Chain Attacks Hit Every Industry and Sector in 2025 

Every sector tracked by Cyble was hit by a software supply chain attack in 2025 (chart below), but because of the rich target they represent and their significant downstream customer base, the IT and Technology sectors were by far the most frequently targeted, accounting for more than a third of supply chain attacks. 

Supply chain intrusions in 2025 expanded far beyond traditional package poisoning, targeting cloud integrations, SaaS trust relationships, and vendor distribution pipelines. 

Adversaries are increasingly abusing upstream services—such as identity providers, package registries, and software delivery channels—to compromise downstream environments on a large scale. 

A few examples highlighting the evolving third-party risk landscape include: 

Attacks targeting Salesforce data via third-party integrations did not modify code; instead, they weaponized trust between SaaS platforms, illustrating how OAuth-based integrations can become high-impact supply chain vulnerabilities when third-party tokens have been compromised. 

The nation-state group Silk Typhoon intensified operations against IT and cloud service providers, exploiting VPN zero-days, password-spraying attacks, and misconfigured privileged access systems. After breaching upstream vendors such as MSPs, remote-management platforms, or PAM service providers, the group pivoted into customer environments via inherited admin credentials, compromised service principals, and high-privilege cloud API permissions. 

A China-aligned APT group, PlushDaemon, compromised the distribution channel of a South Korean VPN vendor, replacing legitimate installers with a trojanized version bundling the SlowStepper backdoor. The malicious installer, delivered directly from the vendor’s website, installed both the VPN client and a modular surveillance framework supporting credential theft, keylogging, remote execution, and multimedia capture. By infiltrating trusted security software, the attackers gained persistent access to organizations relying on the VPN for secure remote connectivity, turning a defensive tool into an espionage vector. 

Conclusion 

The significant supply chain and ransomware threats facing security teams as we enter 2026 require a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats. These practices include: 

• Prioritizing vulnerabilities based on risk. 

• Protecting web-facing assets. 

• Segmenting networks and critical assets. 

• Hardening endpoints and infrastructure. 

• Strong access controls, allowing no more access than is required, with frequent verification. 

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks. 

• Encryption of data at rest and in transit. 

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. 

• Honeypots that lure attackers to fake assets for early breach detection. 

• Proper configuration of APIs and cloud service connections. 

• Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools. 

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Additionally, Cyble’s third-party risk intelligence can help organizations carefully vet partners and suppliers, providing an early warning of potential risks. 

The post Ransomware and Supply Chain Attacks Soared in 2025 appeared first on Cyble.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2025, as the database grew to 1,484 software and hardware flaws at high risk of cyberattacks. 

The agency removed at least one vulnerability from the catalog in 2025 – CVE-2025-6264, a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had insufficient evidence of exploitation – but the database has generally grown steadily since its launch in November 2021. 

After an initial surge of added vulnerabilities after the database first launched, growth stabilized in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 in 2024. 

Growth accelerated in 2025, however, as CISA added 245 vulnerabilities to the KEV catalog, an increase of more than 30% above the trend seen in 2023 and 2024. With new vulnerabilities surging in recent weeks, the elevated exploitation trend may well continue into 2026. 

Overall, CISA KEV vulnerabilities grew from 1,239 vulnerabilities at the end of 2024 to 1,484 at the end of 2025, an increase of just under 20%. 

We’ll look at some of the trends and vulnerabilities from 2025 – including 24 vulnerabilities known to be exploited by ransomware groups – along with the vendors and projects that had the most CVEs added to the list this year. 

Older Vulnerabilities Added to CISA KEV Also Grew 

The addition of older vulnerabilities to the CISA KEV catalog also grew in 2025. In 2023 and 2024, 60 to 70 older vulnerabilities were added to the KEV catalog each year. In 2025, the number of vulnerabilities from 2024 and earlier added to the catalog grew to 94, a 34% increase from a year earlier. 

The oldest vulnerability added to the KEV catalog in 2025 was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. 

The oldest vulnerability in the catalog remains one from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks.  

Vulnerabilities Used in Ransomware Attacks 

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups. They include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities exploited by the CL0P ransomware group. 

The full list of vulnerabilities newly exploited by ransomware groups in 2025 is included below, and should be prioritized by security teams if they’re not yet patched. 

Projects and Vendors with the Highest Number of Exploited Vulnerabilities 

Microsoft once again led all vendors and projects in CISA KEV additions, with 39 vulnerabilities added to the database in 2025, up from 36 in 2024. 

Several vendors and projects had fewer vulnerabilities added in 2025 than they did in 2024, suggesting improved security controls. Among the vendors and projects that saw a decline in KEV vulnerabilities in 2025 were Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware. 

11 vendors and projects had five or more KEV vulnerabilities added this year, included below. 

Most Common Software Weaknesses Exploited in 2025 

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2025 KEV additions. The list is similar to last year, although CWE-787, CWE-79, and CWE-94 are new to the list this year. 

• CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was again the most common weakness among vulnerabilities added to the KEV database, accounting for 18 of the 245 vulnerabilities added in 2025. 

• CWE-502 – Deserialization of Untrusted Data – again came in second, occurring in 14 of the vulnerabilities. 

• CWE-22 – Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’ – moved up to third place with 13 appearances. 

• CWE-416 – Use After Free – slipped a spot to fourth and was behind 11 of the vulnerabilities. 

• CWE-787 – Out-of-bounds Write – was a factor in 10 of the vulnerabilities. 

• CWE-79 – Cross-site Scripting – appeared 7 times. 

• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) occurred 6 times each. 

Conclusion 

CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and vulnerability management efforts. 

The CISA KEV catalog can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database, it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools. 

Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target. 

Take control of your vulnerability risk today — book a personalized demo to see how CISA KEV impacts your organization. 

The post CISA Known Exploited Vulnerabilities Surged 20% in 2025  appeared first on Cyble.