Synced 17 Jun 2026 22:27 UTC Account
← Home
Live exposure leaderboard · CISA KEV

Most actively-exploited software, right now

Ranked from the U.S. CISA Known Exploited Vulnerabilities catalog — the authoritative list of software being exploited in the wild. A measure of where attacker attention concentrates, not a verdict on vendor quality.

1,622 exploited vulnerabilities · 267 vendors · 384 in software we track at version level

At a glance

Microsoft accounts for 377 of CISA's 1,622 actively-exploited vulnerabilities (23%), led by Windows with 172. Apple (93), Cisco (92), Adobe (79) follow. 327 (20%) are tied to known ransomware campaigns. IsItPatched analyses 629 of these products at the individual-version level, covering 384 of the exploited CVEs in depth.

How this leaderboard is calculated

  • Source: the U.S. CISA KEV catalog — vulnerabilities confirmed exploited in the wild — re-read on every data sync.
  • Products rank by their number of KEV entries; vendors by the total across all their products.
  • Ransomware counts use CISA's knownRansomwareCampaignUse flag.
  • Tracked → rows link to our version-level analysis (safe version, open CVEs, EOL); others are shown for completeness.
  • It counts historical exploitation, so widely-deployed platforms rank highest — a signal of attacker focus, not vendor quality.
Full methodology →

Most-exploited products

By number of entries in CISA's KEV catalog. Linked rows are tracked at version level.

#ProductKEVRansomLast added
1 WindowsMicrosoft look up → 172 46 20 May 26 2 Multiple ProductsApple look up → 53 20 Mar 26 3 Chromium V8Google tracked → 39 09 Jun 26 4 Internet ExplorerMicrosoft tracked → 36 4 20 May 26 5 Flash PlayerAdobe tracked → 33 4 17 Sept 24 6 OfficeMicrosoft tracked → 29 2 14 Apr 26 7 KernelLinux tracked → 26 2 02 Jun 26 8 Win32kMicrosoft look up → 25 7 22 Jun 23 9 Exchange ServerMicrosoft tracked → 17 13 13 Apr 26 10 Zimbra Collaboration Suite (ZCS)Synacor tracked → 16 4 20 Apr 26 11 ColdFusionAdobe tracked → 15 3 24 Feb 25 12 IOS and IOS XE SoftwareCisco tracked → 14 19 Apr 23 13 Acrobat and ReaderAdobe tracked → 13 1 20 May 26 14 Mobile DevicesSamsung look up → 13 10 Nov 25 15 WebLogic ServerOracle tracked → 12 2 01 Jun 26 16 PAN-OSPalo Alto Networks tracked → 12 5 29 May 26 17 Multiple ChipsetsQualcomm look up → 11 03 Mar 26 18 iOS, iPadOS, and macOSApple look up → 11 21 Aug 25 19 NetWeaverSAP tracked → 10 1 15 May 25 20 vCenter ServerVMware tracked → 9 3 20 Nov 24 21 FortiOSFortinet tracked → 8 5 25 Jun 25 22 iOSApple tracked → 8 14 Dec 22 23 Reader and AcrobatAdobe tracked → 8 1 08 Jun 22 24 Endpoint Manager Mobile (EPMM)Ivanti tracked → 7 1 07 May 26

Most-exploited vendors

By total KEV entries across all their products.

1
Microsoft103 ransomware-linked
377exploited
2
Apple 
93exploited
3
Cisco6 ransomware-linked
92exploited
4
Adobe10 ransomware-linked
79exploited
5
Google 
72exploited
6
Oracle13 ransomware-linked
44exploited
7
Apache7 ransomware-linked
39exploited
8
Ivanti12 ransomware-linked
35exploited
9
Linux2 ransomware-linked
26exploited
10
D-Link2 ransomware-linked
26exploited
11
Fortinet13 ransomware-linked
26exploited
12
VMware9 ransomware-linked
26exploited

Tracked in depth — worst first

Of the 629 products we analyse at the individual-version level, ranked by active exploitation + open critical CVEs. Every row links to a full breakdown.

#ProductExploitedCriticalScore
1 Windows Server 2022Microsoft Good 85 54 85 2 Windows Server 2019Microsoft Good 77 45 85 3 Windows Server 2016Microsoft Good 73 41 85 4 UbuntuCanonical Good 25 103 85 5 SUSE Linux Enterprise ServerSUSE Critical · exploited 18 27 20 6 Fortinet FortiOSFortinet Critical · exploited 18 20 0 7 Zimbra Collaboration Suite (ZCS)Synacor Critical · exploited 17 12 0 8 Microsoft SharePoint ServerMicrosoft Critical · exploited 15 10 5 9 Palo Alto PAN-OSPalo Alto Networks Critical · exploited 14 20 0 10 Windows 10Microsoft Good 11 62 85 11 VMware ESXiVMware / Broadcom Good 8 10 85 12 Catalyst SD-WAN ManagerCisco Critical · exploited 8 12 0 13 JBossRed Hat Critical · exploited 6 31 0 14 Kentico XperienceKentico Critical · exploited 4 5 0 15 Cloud Services Appliance (CSA)Ivanti Critical · exploited 4 2 20
See all 629 tracked products →

Read this fairly: the ranking simply counts entries in the U.S. government's CISA Known Exploited Vulnerabilities catalog (public, factual) — a cumulative, historical tally that skews toward the most widely-deployed, most-researched platforms. A higher position reflects how much attacker and researcher attention a product has drawn over time; it is not a statement about a product's current security, a vendor's competence, or which software is "safer". Many entries are long-since patched. Use it to prioritise patching — start with what's actively exploited — not to choose or rank vendors. Source: CISA KEV · how we score.

Frequently asked

Where does this ranking come from?

It is built from the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog — the authoritative government list of vulnerabilities confirmed to be exploited in the wild. It currently holds 1622 vulnerabilities across 267 vendors. Products are ranked by how many KEV entries they have. It rebuilds with every data sync.

Does a high ranking mean the software is bad?

No. It reflects how often a product has been exploited historically (per CISA), which correlates with how widely deployed and heavily targeted it is — not vendor quality. Mature, ubiquitous platforms naturally accumulate more entries. Use it to understand where attacker attention concentrates, and to prioritise patching.

Why are some products linked and others not?

IsItPatched analyses 629 products at the individual-version level — those rows link to a full breakdown (safe version, open CVEs, EOL). Other entries in CISA's catalog are shown for completeness but we don't yet track them version-by-version; 384 of CISA's 1622 exploited CVEs fall in software we track in depth.