The second most impacted category were network-edge devices with 77 KEVs. This category includes network security appliances, routers, firewalls, and VPN gateways, which have been a growing target over the past couple of years, especially for nation-state cyberespionage groups.
Server software (61 KEVs), open-source software (55), and operating systems (38) complete the top five most targeted categories, with hardware devices — including camera systems, DVRs, NVRs, IP phones, and other embedded devices — coming in sixth. VulnCheck notes that many of the flaws in the hardware device category came from attack data collected by Shadowserver, highlighting that exposing such devices directly to the internet is never a good idea.
In terms of vendors, Microsoft was the most targeted, with 32 KEVs, 26 of which were for Windows, followed by Cisco (10), and Apple, Totolink, and VMware, each with six KEVs. It’s worth noting though that not all new KEVs are new vulnerabilities. While 1 in 3 were zero-days or 1-days, many are older vulnerabilities that just started to be exploited in 2025, putting them on the new KEV list.
