Known Exploited Vulnerabilities Catalog

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.

How to use the KEV Catalog

The KEV catalog is also available in these formats:

CSV
JSON
JSON Schema (updated 06-25-2024)
Print View
License

VMware | ESXi and Workstation

CVE-2025-22224

VMware ESXi and Workstation TOCTOU Race Condition Vulnerability: VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.

Related CWE: CWE-367

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-03-04
Due Date: 2025-03-25

Additional Notes

VMware | ESXi

CVE-2025-22225

VMware ESXi Arbitrary Write Vulnerability: VMware ESXi contains an arbitrary write vulnerability. Successful exploitation allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.

Related CWE: CWE-123

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-03-04
Due Date: 2025-03-25

Additional Notes

VMware | ESXi, Workstation, and Fusion

CVE-2025-22226

VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process.

Related CWE: CWE-125

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-03-04
Due Date: 2025-03-25

Additional Notes

VMware | vCenter Server

CVE-2024-38812

VMware vCenter Server Heap-Based Buffer Overflow Vulnerability: VMware vCenter Server contains a heap-based buffer overflow vulnerability in the implementation of the DCERPC protocol. This vulnerability could allow an attacker with network access to the vCenter Server to execute remote code by sending a specially crafted packet.

Related CWE: CWE-122

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-11-20
Due Date: 2024-12-11

Additional Notes

VMware | vCenter Server

CVE-2024-38813

VMware vCenter Server Privilege Escalation Vulnerability: VMware vCenter contains an improper check for dropped privileges vulnerability. This vulnerability could allow an attacker with network access to the vCenter Server to escalate privileges to root by sending a specially crafted packet.

Related CWEs: CWE-250| CWE-273

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-11-20
Due Date: 2024-12-11

Additional Notes

VMware | ESXi

CVE-2024-37085

VMware ESXi Authentication Bypass Vulnerability: VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Related CWE: CWE-305

Known To Be Used in Ransomware Campaigns? Known

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-07-30
Due Date: 2024-08-20

Additional Notes

VMware | vCenter Server

CVE-2022-22948

VMware vCenter Server Incorrect Default File Permissions Vulnerability : VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information.

Related CWE: CWE-276

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-07-17
Due Date: 2024-08-07

Additional Notes

VMware | vCenter Server

CVE-2023-34048

VMware vCenter Server Out-of-Bounds Write Vulnerability: VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote code execution.

Related CWE: CWE-787

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-01-22
Due Date: 2024-02-12

Additional Notes

Samsung | Mobile Devices

CVE-2022-22265

Samsung Mobile Devices Use-After-Free Vulnerability: Samsung devices with selected Exynos chipsets contain a use-after-free vulnerability that allows malicious memory write and code execution.

Related CWE: CWE-703

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2023-09-18
Due Date: 2023-10-09

Additional Notes

Samsung | Mobile Devices

CVE-2021-25487

Samsung Mobile Devices Out-of-Bounds Read Vulnerability: Samsung mobile devices contain an out-of-bounds read vulnerability within the modem interface driver due to a lack of boundary checking of a buffer in set_skb_priv(), leading to remote code execution by dereference of an invalid function pointer.

Related CWE: CWE-125

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable

Date Added: 2023-06-29
Due Date: 2023-07-20

Additional Notes

Samsung | Mobile Devices

CVE-2021-25489

Samsung Mobile Devices Improper Input Validation Vulnerability: Samsung mobile devices contain an improper input validation vulnerability within the modem interface driver that results in a format string bug leading to kernel panic.

Related CWE: CWE-20

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable

Date Added: 2023-06-29
Due Date: 2023-07-20

Additional Notes

Samsung | Mobile Devices

CVE-2021-25394

Samsung Mobile Devices Race Condition Vulnerability: Samsung mobile devices contain a race condition vulnerability within the MFC charger driver that leads to a use-after-free allowing for a write given a radio privilege is compromised.

Related CWE: CWE-416

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable

Date Added: 2023-06-29
Due Date: 2023-07-20

Additional Notes

Samsung | Mobile Devices

CVE-2021-25395

Related CWE: CWE-362

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable

Date Added: 2023-06-29
Due Date: 2023-07-20

Additional Notes

Samsung | Mobile Devices

CVE-2021-25371

Samsung Mobile Devices Unspecified Vulnerability: Samsung mobile devices contain an unspecified vulnerability within DSP driver that allows attackers to load ELF libraries inside DSP.

Related CWE: CWE-912

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable

Date Added: 2023-06-29
Due Date: 2023-07-20

Additional Notes

Samsung | Mobile Devices

CVE-2021-25372

Samsung Mobile Devices Improper Boundary Check Vulnerability: Samsung mobile devices contain an improper boundary check vulnerability within DSP driver that allows for out-of-bounds memory access.

Related CWE: CWE-787

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable

Date Added: 2023-06-29
Due Date: 2023-07-20

Additional Notes

VMware | Tools

CVE-2023-20867

VMware Tools Authentication Bypass Vulnerability: VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. An attacker must have root access over ESXi to exploit this vulnerability.

Related CWE: CWE-287

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2023-06-23
Due Date: 2023-07-14

Additional Notes

VMware | Aria Operations for Networks

CVE-2023-20887

Vmware Aria Operations for Networks Command Injection Vulnerability: VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in remote code execution.

Related CWE: CWE-77

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2023-06-22
Due Date: 2023-07-13

Additional Notes

Samsung | Mobile Devices

CVE-2023-21492

Samsung Mobile Devices Insertion of Sensitive Information Into Log File Vulnerability: Samsung mobile devices running Android 11, 12, and 13 contain an insertion of sensitive information into log file vulnerability that allows a privileged, local attacker to conduct an address space layout randomization (ASLR) bypass.

Related CWE: CWE-532

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2023-05-19
Due Date: 2023-06-09

Additional Notes

Samsung | Mobile Devices

CVE-2021-25337

Samsung Mobile Devices Improper Access Control Vulnerability: Samsung mobile devices contain an improper access control vulnerability in clipboard service which allows untrusted applications to read or write arbitrary files. This vulnerability was chained with CVE-2021-25369 and CVE-2021-25370.

Related CWE: CWE-269

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-11-08
Due Date: 2022-11-29

Additional Notes

Samsung | Mobile Devices

CVE-2021-25369

Samsung Mobile Devices Improper Access Control Vulnerability: Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25370.

Related CWE: CWE-200

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-11-08
Due Date: 2022-11-29

Additional Notes

Known Exploited Vulnerabilities Catalog

Subscribe to the KEV Catalog Updates