Known Exploited Vulnerabilities (KEV)

CISA Catalog

Known Exploited Vulnerabilities

· Live CISA DataCISA KEV catalog — vulnerabilities with active exploitation requiring federal remediation

Data sourced from the official CISA Known Exploited Vulnerabilities Catalog. Federal agencies are required to remediate these vulnerabilities by the due date per BOD 22-01.

KEV Entries

1,619

Ransomware Use

327

Overdue

1,615

Vendors

266

Products

655

4 results · Page 1/1

CVE-2026-22719Overdue

Due: 2026-03-24
Added: 2026-03-03

Broadcom VMware Aria Operations Command Injection Vulnerability

Broadcom · VMware Aria Operations

Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2024-37079Overdue

Due: 2026-02-13
Added: 2026-01-23

Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability

Broadcom · VMware vCenter Server

Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution.

CVE-2025-41244Overdue

Due: 2025-11-20
Added: 2025-10-30

Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability

Broadcom · VMware Aria Operations and VMware Tools

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2025-1976Overdue

Due: 2025-05-19
Added: 2025-04-28

Broadcom Brocade Fabric OS Code Injection Vulnerability

Broadcom · Brocade Fabric OS

Broadcom Brocade Fabric OS contains a code injection vulnerability that allows a local user with administrative privileges to execute arbitrary code with full root privileges.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.