Introduction

Analysis of the US-based Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue.

Some sources use the KEV as a source of absolute truth regarding software security. There are significant issues with the KEV, however, which are well described in this medium post.

Therefore no conclusions are possible solely with the KEV data and take any results shown here with a large grain of salt.

The Data

Although the data is presented as well structured, it has a lot of free-text in the columns which needs to be parsed to get the required information.

cveID vendorProject product vulnerabilityName dateAdded shortDescription requiredAction dueDate knownRansomwareCampaignUse notes cwes
CVE-2025-20362 Cisco Secure Firewall Adapti… Cisco Secure Firewall … 2025-09-25 Cisco Secure Firewall … The KEV due date refer… 2025-09-26 Unknown CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions ; https://www.cisa.gov/eviction-strategies-tool/create-from-template ; https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks ; https://sec.cloudapps.cisco.com/security/center/private/resources/asa_ftd_continued_attacks#Details ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW ; https://nvd.nist.gov/vuln/detail/CVE-2025-20362 CWE-862
CVE-2025-20333 Cisco Secure Firewall Adapti… Cisco Secure Firewall … 2025-09-25 Cisco Secure Firewall … The KEV due date refer… 2025-09-26 Unknown CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions ; https://www.cisa.gov/eviction-strategies-tool/create-from-template ; https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks ; https://sec.cloudapps.cisco.com/security/center/private/resources/asa_ftd_continued_attacks#Details ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB ; https://nvd.nist.gov/vuln/detail/CVE-2025-20333 CWE-120
CVE-2025-10585 Google Chromium V8 Google Chromium V8 Typ… 2025-09-23 Google Chromium contai… Apply mitigations per … 2025-10-14 Unknown https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-10585 CWE-843
CVE-2025-5086 Dassault Systèmes DELMIA Apriso Dassault Systèmes DELM… 2025-09-11 Dassault Systèmes DELM… Apply mitigations per … 2025-10-02 Unknown https://www.3ds.com/trust-center/security/security-advisories/cve-2025-5086 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5086 CWE-502
CVE-2025-38352 Linux Kernel Linux Kernel Time-of-C… 2025-09-04 Linux kernel contains … Apply mitigations per … 2025-09-25 Unknown This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff ; https://source.android.com/docs/security/bulletin/2025-09-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-38352 CWE-367
CVE-2025-48543 Android Runtime Android Runtime Use-Af… 2025-09-04 Android Runtime contai… Apply mitigations per … 2025-09-25 Unknown https://source.android.com/docs/security/bulletin/2025-09-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48543
CVE-2025-53690 Sitecore Multiple Products Sitecore Multiple Prod… 2025-09-04 Sitecore Experience Ma… Apply mitigations per … 2025-09-25 Unknown https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53690 CWE-502
CVE-2023-50224 TP-Link TL-WR841N TP-Link TL-WR841N Auth… 2025-09-03 TP-Link TL-WR841N cont… Apply mitigations per … 2025-09-24 Unknown https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-50224 CWE-290
CVE-2025-9377 TP-Link Multiple Routers TP-Link Archer C7(EU) … 2025-09-03 TP-Link Archer C7(EU) … Apply mitigations per … 2025-09-24 Unknown https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-9377 CWE-78
CVE-2020-24363 TP-Link TL-WA855RE TP-link TL-WA855RE Mis… 2025-09-02 TP-link TL-WA855RE con… Apply mitigations per … 2025-09-23 Unknown https://www.tp-link.com/us/home-networking/range-extender/tl-wa855re/#overview ; https://www.tp-link.com/us/support/download/tl-wa855re/#FAQs ; https://nvd.nist.gov/vuln/detail/CVE-2020-24363 CWE-306

The aim here is to primarily focus on iOS and Android, which also raises some issues. Due to its open source nature Android is not owned by a single organisation, although Google is the primary supporter of the core system. Thus, the ‘shortDescription’ column needs to be searched for Android relevance.

For iOS, most vulnerabilities are resolved by Apple across all platforms at the same time where relevant so again searches need to be made of the ‘shortDescription’ column. The problem with that is that ‘iOS’ can also match to ‘FortiOS’, Cicso’s ‘IOS’ and ‘BIOS’ strings.

Threat Profile

A big distinction regarding severity of vulnerabilities is whether they are exploitable remotely or otherwise. The KEV download doesn’t mark these up, however, and a keyword search for ‘remote’ seems to be sufficient.

# add column to identify which vulnerabilities are remotely executable or not
dat = dat %>% mutate(remote = ifelse(str_count(shortDescription,"remote") > 0, TRUE, FALSE))

# reorder factor to make colours more sensible
dat$remote <- factor(dat$remote, levels = c(TRUE, FALSE))

# summarise counts by vendor
summ.df = dat %>% group_by(vendorProject, remote) %>% 
         summarise(n = n()) %>%
         filter(n > 5)

ggplot(summ.df, aes(x = fct_reorder(vendorProject, n), y = n, fill = remote)) +
  geom_col() +
  scale_fill_brewer(palette = 'Paired') +
  labs(
    title = 'Total Exploited Vulnerabilities Since 2021',
    subtitle = 'Spilt by whether remotely exploitable or not',
    x = '',
    y = 'Count',
    fill = 'Remotely exploitble',
    caption = 'Source: CISA (n < 5 omitted)'
  ) +
  coord_flip() + 
  theme_classic()

Plots

Apple

# For all Apple entries find any which mention 'iOS'.
apple.df = dat %>% filter(vendorProject == 'Apple') %>%
   filter(str_detect(shortDescription, "iOS")) %>%
   group_by(format(dueDate, "%Y")) %>%
   summarise(n = n())

colnames(apple.df) <- c('Year', 'Count')

knitr::kable(apple.df, format = "html", table.attr = "style='width:30%;'") %>%
  kableExtra::kable_styling(position = "left")
Apple iOS Vulnerabilities per Year
Year Count
2021 14
2022 26
2023 21
2024 7
2025 7

Android

# For all Android entries find any which mention 'iOS'.
android.df = dat %>% filter(vendorProject == 'Android' | str_detect(shortDescription, "Android")) %>%
   group_by(format(dueDate, "%Y")) %>%
   summarise(n = n())

colnames(android.df) <- c('Year', 'Count')

knitr::kable(android.df, 
             col.names = c('Year', 'Count'), 
             format = "html", 
             table.attr = "style='width:30%;'") %>%
  kableExtra::kable_styling(position = "left")
Android Vulnerabilities per Year
Year Count
2021 1
2022 7
2023 5
2024 6
2025 1 
apple.df = data.frame(OS = 'iOS', apple.df)
android.df = data.frame(OS = 'Android', android.df)

all.df = rbind(apple.df, android.df)

pl = ggplot(all.df, aes(x = Year, y = Count, group = OS, colour = OS)) +
  geom_line(linewidth = 1.3) +
  geom_point(colour = 'black', size = 1.8) +
  geom_point(colour = 'white', size = 1.4) +
  labs(title = "iOS vs Android Vulnerabilities") +
  theme_classic()

ggplotly(pl)