65% of manufacturing companies have at least one vulnerability listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog.

CVEs added to CISA KEV jumped 80% in H1 2025.

26.9% of KEVs first seen in 1H-2025 were still awaiting analysis by NIST.

The top five categories for KEVs in 1H-2025 are: Content Management Systems (CMS): 86 KEVs, with a significant volume attributed to WordPress Plug-ins; Network Edge Devices: 77 KEVs; Server Software: 61 KEVs; Open Source Software: 55 KEVs; and Operating Systems: 38 KEVs.

Vendors with Highest Number of KEVs in 1H-2025: Microsoft: 32 KEVs, with 26 of these being for Windows; Cisco: 10 KEVs; Apple OS: 6 KEVs; Totolink Networking Devices: 6 KEVs; and VMware: 6 KEVs.

In 2H-2024, 44 KEVs were attributed to the North Korean cyber group Silent Chollima.

Reports of KEVs associated with China and North Korea decreased in 1H-2025, while reports associated with Russia and Iran increased.

In 2H-2024, 66 KEVs were attributed to the Chinese threat actor Flax Typhoon (AKA Ethereal Panda).

In 1H-2025, 29 KEVs were attributed to Iranian threat actors.

4.4% of KEVs are in a deferred status by NIST, meaning they are no longer maintained or updated

32.1% of vulnerabilities (Known Exploited Vulnerabilities - KEVs) had exploitation evidence on or before the day of their CVE disclosure, often indicating zero-day exploitation. This marks an 8.5% increase in the percentage of KEVs exploited on or before disclosure compared to 23.6% in 2024.

90 third-party vendors are flagged with high-risk threat categories. Among these, 35 vendors are marked with Known Exploited Vulnerabilities (KEV) tags.

75% of organisations have BMS affected by known exploited vulnerabilities (KEVs).

Within organisations affected by KEVS that are also linked to ransomware and are insecurely connected to the internet, 2% of devices contain the same high level of risk, meaning they are essential to business operations and are operating at the highest level of risk exposure

Of the organisations affected by KEVs, 51% are affected by KEVs that are also linked to ransomware and are insecurely connected to the internet.

9% of IoMT devices contain confirmed KEVs in their systems, impacting 99% of organisations.

89% of healthcare organisations have the top 1% of riskiest IoMT devices on their networks, which contain known exploitable vulnerabilities (KEVs) linked to active ransomware campaigns and an insecure connection to the internet.

1% of IoMT devices carry KEVs linked to active ransomware campaigns and insecure internet connectivity, impacting 89% of organisations.

8% of imaging systems (X-rays, CT scans, MRI, ultrasound, and more) have KEVs linked to ransomware and insecure internet connectivity, making this the riskiest medical device category and impacting 85% of organisations.

20% of HIS (hospital information systems), which manage clinical patient data, as well as administrative and financial information, have KEVs linked to ransomware and insecure internet connectivity, impacting 58% of organisations