Live exposure leaderboard · CISA KEV

Most actively-exploited software, right now

Ranked from the U.S. CISA Known Exploited Vulnerabilities catalog — the authoritative list of software being exploited in the wild. A measure of where attacker attention concentrates, not a verdict on vendor quality.

1,621 exploited vulnerabilities · 266 vendors · 1046 in software we track at version level

At a glance

Microsoft accounts for 377 of CISA's 1,621 actively-exploited vulnerabilities (23%), led by Windows with 172. Apple (93), Cisco (92), Adobe (79) follow. 327 (20%) are tied to known ransomware campaigns. IsItPatched analyses 613 of these products at the individual-version level, covering 1046 of the exploited CVEs in depth.

How this leaderboard is calculated

Source: the U.S. CISA KEV catalog — vulnerabilities confirmed exploited in the wild — re-read on every data sync.
Products rank by their number of KEV entries; vendors by the total across all their products.
Ransomware counts use CISA's knownRansomwareCampaignUse flag.
Tracked → rows link to our version-level analysis (safe version, open CVEs, EOL); others are shown for completeness.
It counts historical exploitation, so widely-deployed platforms rank highest — a signal of attacker focus, not vendor quality.

Full methodology →

Most-exploited products

By number of entries in CISA's KEV catalog. Linked rows are tracked at version level.

#ProductKEVRansomLast added

1 WindowsMicrosoft look up → 172 46 20 May 26 2 Multiple ProductsApple look up → 53 — 20 Mar 26 3 Chromium V8Google tracked → 39 — 09 Jun 26 4 Internet ExplorerMicrosoft tracked → 36 4 20 May 26 5 Flash PlayerAdobe tracked → 33 4 17 Sept 24 6 OfficeMicrosoft tracked → 29 2 14 Apr 26 7 KernelLinux tracked → 26 2 02 Jun 26 8 Win32kMicrosoft look up → 25 7 22 Jun 23 9 Exchange ServerMicrosoft tracked → 17 13 13 Apr 26 10 Zimbra Collaboration Suite (ZCS)Synacor tracked → 16 4 20 Apr 26 11 ColdFusionAdobe tracked → 15 3 24 Feb 25 12 IOS and IOS XE SoftwareCisco tracked → 14 — 19 Apr 23 13 Acrobat and ReaderAdobe tracked → 13 1 20 May 26 14 Mobile DevicesSamsung look up → 13 — 10 Nov 25 15 WebLogic ServerOracle tracked → 12 2 01 Jun 26 16 PAN-OSPalo Alto Networks tracked → 12 5 29 May 26 17 Multiple ChipsetsQualcomm look up → 11 — 03 Mar 26 18 iOS, iPadOS, and macOSApple look up → 11 — 21 Aug 25 19 NetWeaverSAP tracked → 10 1 15 May 25 20 vCenter ServerVMware tracked → 9 3 20 Nov 24 21 FortiOSFortinet tracked → 8 5 25 Jun 25 22 iOSApple tracked → 8 — 14 Dec 22 23 Reader and AcrobatAdobe tracked → 8 1 08 Jun 22 24 Endpoint Manager Mobile (EPMM)Ivanti tracked → 7 1 07 May 26

Most-exploited vendors

By total KEV entries across all their products.

Microsoft103 ransomware-linked

377exploited

Apple

93exploited

Cisco6 ransomware-linked

92exploited

Adobe10 ransomware-linked

79exploited

Google

72exploited

Oracle13 ransomware-linked

44exploited

Apache7 ransomware-linked

39exploited

Ivanti12 ransomware-linked

35exploited

Linux2 ransomware-linked

26exploited

D-Link2 ransomware-linked

26exploited

Fortinet13 ransomware-linked

26exploited

VMware9 ransomware-linked

26exploited

Tracked in depth — worst first

Of the 613 products we analyse at the individual-version level, ranked by active exploitation + open critical CVEs. Every row links to a full breakdown.

#ProductExploitedCriticalScore

1 Windows Server 2022Microsoft Good 85 54 85 2 Windows Server 2019Microsoft Good 77 45 85 3 Windows Server 2016Microsoft Good 73 41 85 4 macOSApple Good 43 203 85 5 Internet ExplorerMicrosoft Critical · exploited 43 5 0 6 Cisco IOSCisco Critical · exploited 38 6 20 7 Windows Server 2025Microsoft Critical · exploited 37 20 0 8 Flash PlayerAdobe Critical · exploited 36 50 0 9 Microsoft OfficeMicrosoft Critical · exploited 36 11 0 10 OS XApple Critical · exploited 30 20 0 11 Linux KernelLinux Good 28 14 85 12 Cisco IOS XECisco Critical · exploited 28 14 20 13 Apple SafariApple Critical · exploited 27 23 5 14 UbuntuCanonical Good 25 103 85 15 Acrobat and ReaderAdobe Critical · exploited 21 24 0

See all 613 tracked products →

Read this fairly: the ranking simply counts entries in the U.S. government's CISA Known Exploited Vulnerabilities catalog (public, factual) — a cumulative, historical tally that skews toward the most widely-deployed, most-researched platforms. A higher position reflects how much attacker and researcher attention a product has drawn over time; it is not a statement about a product's current security, a vendor's competence, or which software is "safer". Many entries are long-since patched. Use it to prioritise patching — start with what's actively exploited — not to choose or rank vendors. Source: CISA KEV · how we score.

Frequently asked

Where does this ranking come from?

It is built from the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog — the authoritative government list of vulnerabilities confirmed to be exploited in the wild. It currently holds 1621 vulnerabilities across 266 vendors. Products are ranked by how many KEV entries they have. It rebuilds with every data sync.

Does a high ranking mean the software is bad?

No. It reflects how often a product has been exploited historically (per CISA), which correlates with how widely deployed and heavily targeted it is — not vendor quality. Mature, ubiquitous platforms naturally accumulate more entries. Use it to understand where attacker attention concentrates, and to prioritise patching.

Why are some products linked and others not?

IsItPatched analyses 613 products at the individual-version level — those rows link to a full breakdown (safe version, open CVEs, EOL). Other entries in CISA's catalog are shown for completeness but we don't yet track them version-by-version; 1046 of CISA's 1621 exploited CVEs fall in software we track in depth.