Known Exploited Vulnerabilities (KEV) Catalog
CISA-curated catalog of vulnerabilities with confirmed active exploitation, providing high-signal prioritization for remediation efforts.
Continue your mission
CISA-curated catalog of vulnerabilities with confirmed active exploitation, providing high-signal prioritization for remediation efforts.
# Known Exploited Vulnerabilities (KEV) Catalog
The Known Exploited Vulnerabilities (KEV) Catalog is a curated list maintained by the Cybersecurity and Infrastructure Security Agency (CISA) that identifies vulnerabilities confirmed to be actively exploited in the wild. Unlike vulnerability databases that list all known CVEs regardless of exploitation status, the KEV catalog focuses exclusively on vulnerabilities with documented real-world exploitation, making it a high-signal source for remediation prioritization.
The catalog exists because vulnerability databases had become noise generators rather than decision-making tools. The National Vulnerability Database contains over 200,000 CVE entries. CVSS scores, while useful for severity assessment, do not indicate exploitation likelihood. EPSS scores predict exploitability but do not confirm active use. Security teams drowning in vulnerability reports needed authoritative intelligence about which vulnerabilities attackers were actually weaponizing against real targets.
CISA created the KEV catalog in November 2021 as part of Binding Operational Directive (BOD) 22-01, which requires federal agencies to remediate KEV-listed vulnerabilities within specified timeframes. The catalog serves as both an intelligence product and a compliance framework, providing private sector organizations with the same exploitation intelligence that drives federal cybersecurity priorities. It represents the operationalization of threat intelligence: moving from theoretical vulnerability scoring to documented adversary behavior.
The KEV catalog fits into the vulnerability management ecosystem as the highest-confidence signal of immediate risk. While CVE databases document what could be exploited and CVSS scores indicate what might cause damage, the KEV catalog identifies what is being exploited. This distinction transforms vulnerability prioritization from a risk calculation exercise into a threat response operation.
CISA adds vulnerabilities to the KEV catalog based on three mandatory criteria. First, the vulnerability must have an assigned CVE identifier from MITRE's CVE Program, ensuring standardized identification and cross-reference capability. Second, there must be reliable evidence of active exploitation in the wild, meaning documented attacks against real systems rather than proof-of-concept demonstrations or theoretical scenarios. Third, a clear remediation action must exist, typically a vendor-supplied patch or a documented mitigation technique that eliminates the exploitation vector.
The evidence standard for "active exploitation" includes multiple sources. CISA considers attack reports from federal agencies, intelligence community assessments, cybersecurity vendor telemetry showing exploitation attempts, incident response findings from major breaches, and coordinated vulnerability disclosures that include exploitation evidence. The agency does not add vulnerabilities based solely on public proof-of-concept code, security research demonstrations, or speculation about possible exploitation.
Each KEV catalog entry contains six data elements: CVE identifier, vendor and product name, vulnerability description, date added to catalog, required action (typically "Apply updates per vendor instructions"), and due date for federal agencies. The due date calculation follows BOD 22-01 timelines: 15 calendar days for vulnerabilities in CISA's catalog when published, and 20 calendar days for vulnerabilities added after initial publication. These deadlines apply only to federal civilian executive branch agencies, but many private organizations adopt them as baseline remediation targets.
The catalog operates as both a static reference and a dynamic feed. CISA publishes the complete catalog in JSON and CSV formats, updated as new vulnerabilities meet inclusion criteria. The JSON feed includes machine-readable metadata enabling automated ingestion into vulnerability management platforms, security orchestration tools, and compliance dashboards. Organizations integrate KEV data into existing workflows rather than treating it as a separate process.
CISA's addition process follows a structured evaluation methodology. The agency maintains relationships with vulnerability coordinators, threat intelligence providers, and federal agency security operations centers to identify exploitation activity. When potential KEV candidates emerge, CISA verifies exploitation evidence through multiple sources before addition. The agency errs toward inclusion rather than exclusion when evidence meets the three criteria, recognizing that delayed addition reduces the catalog's protective value.
Recent KEV additions illustrate the process. CVE-2023-34048, a vulnerability in VMware vCenter Server, was added after multiple organizations reported exploitation in ransomware attacks. CVE-2023-38831, affecting WinRAR archive processing, joined the catalog following widespread exploitation in phishing campaigns. CVE-2023-4966, a Citrix NetScaler vulnerability, was added after CISA observed active scanning and exploitation attempts across federal networks. Each addition followed the same evidence-based evaluation process.
The catalog includes vulnerabilities across all technology categories: operating systems, network infrastructure, web applications, enterprise software, and embedded systems. Age distribution varies significantly. Some KEV entries represent vulnerabilities published years ago that remain unpatched in production environments. Others appear within days of initial CVE publication, indicating rapid weaponization by threat actors.
Removal from the catalog is extremely rare. CISA maintains entries indefinitely under the principle that previously exploited vulnerabilities remain high-value targets for attackers. Organizations that fail to remediate KEV vulnerabilities when they are first added often remain vulnerable months or years later, making historical KEV data relevant for current security assessments.
The KEV catalog addresses the fundamental challenge in vulnerability management: prioritization under resource constraints. Security teams cannot remediate every vulnerability. Traditional prioritization methods rely on theoretical risk calculations that often misalign with actual attacker behavior. CVSS severity scores measure potential impact but ignore exploitation likelihood. Asset criticality assessments focus on business value but overlook attack probability. The KEV catalog provides ground truth about which vulnerabilities attackers are exploiting right now.
This intelligence directly impacts business risk. Unpatched KEV vulnerabilities represent confirmed attack vectors that threat actors have already weaponized successfully. Organizations running systems with KEV-listed vulnerabilities face documented threats rather than theoretical risks. The catalog enables security teams to focus remediation efforts on vulnerabilities that adversaries are actively targeting, maximizing the defensive value of limited patching resources.
Failure to prioritize KEV remediation carries measurable consequences. Post-breach analyses consistently identify KEV-listed vulnerabilities as initial access vectors in successful attacks. The 2023 MOVEit vulnerability (CVE-2023-34362) appeared in the KEV catalog within days of exploitation reports and subsequently enabled data theft from hundreds of organizations worldwide. The 2021 Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) joined the catalog during active exploitation campaigns that compromised thousands of organizations before patches could be deployed.
The catalog also serves as a compliance and governance tool. Boards of directors and executive leadership need metrics that connect cybersecurity investments to business risk reduction. KEV remediation rates provide a direct measure of how effectively an organization responds to confirmed threats. Unlike abstract security scores or maturity assessments, KEV metrics represent tangible risk reduction: each remediated KEV vulnerability eliminates a documented attack vector.
Common misconceptions about the KEV catalog limit its effectiveness. Some organizations treat KEV as merely another vulnerability feed rather than a threat intelligence product. Others assume that non-KEV vulnerabilities can be ignored, missing the distinction between confirmed exploitation and exploitation potential. The catalog identifies minimum remediation priorities, not comprehensive vulnerability management requirements.
The business impact extends beyond immediate security improvements. Organizations that consistently remediate KEV vulnerabilities demonstrate measurable risk management capabilities to cyber insurance providers, regulatory bodies, and business partners. The catalog provides an objective standard for evaluating cybersecurity performance across organizations and industries.
CDA mandates KEV catalog integration across all Vulnerability Surface Deduction (VSD) domain operations and Real-time Governance Automation (RGA) domain compliance frameworks. The Presidential Decision Memorandum establishing CDA explicitly identifies KEV remediation as a core component of Continuous Surface Reduction methodology, treating documented exploitation as the highest-priority signal for attack surface elimination.
CDA's approach to KEV differs fundamentally from conventional vulnerability management thinking. Traditional models treat KEV as one input among many in a multi-factor risk calculation. CDA methodology treats KEV presence as an overriding risk signal that supersedes other vulnerability metrics. A KEV-listed vulnerability with a CVSS score of 6.1 receives higher remediation priority than a non-KEV vulnerability scored at 9.8. This inversion reflects CDA's operational reality principle: documented threats take precedence over theoretical risks.
The Continuous Surface Reduction framework operationalizes this approach through automated KEV detection and response workflows. CDA theater missions integrate KEV feeds directly into vulnerability scanning platforms, automatically flagging KEV-listed CVEs as critical findings regardless of scanner-assigned severity levels. Surface reduction teams receive KEV alerts within four hours of catalog additions, enabling rapid response to newly documented threats.
CDA methodology recognizes that KEV vulnerabilities represent attack surface that adversaries have already successfully penetrated elsewhere. Each unpatched KEV vulnerability is not a potential entry point but a confirmed entry point that threat actors know how to exploit. The "every surface you expose is a surface we eliminate" principle applies most directly to KEV remediation: these surfaces are not just exposed but actively targeted.
RGA domain frameworks automate KEV compliance tracking and reporting. CDA governance dashboards track KEV remediation rates across all participating organizations, identifying systematic gaps in threat response capabilities. Organizations that consistently fail to meet KEV remediation timelines receive targeted support through VSD domain technical assistance programs.
CDA differs from federal agency KEV implementation by extending coverage beyond traditional IT infrastructure. CDA theater missions apply KEV prioritization to operational technology environments, cloud service configurations, and third-party software components. This expanded scope reflects CDA's mission-critical infrastructure protection mandate.
The CDA perspective treats KEV catalog maintenance as a shared intelligence function rather than a passive consumption activity. CDA theater teams contribute exploitation intelligence to CISA's KEV evaluation process, particularly for vulnerabilities affecting critical infrastructure sectors. This bidirectional intelligence sharing improves both KEV catalog quality and CDA threat awareness capabilities.
• The KEV catalog identifies vulnerabilities with confirmed active exploitation, providing higher-confidence threat intelligence than theoretical vulnerability scoring systems.
• CISA's three criteria for KEV inclusion (assigned CVE, exploitation evidence, available remediation) ensure the catalog contains actionable intelligence rather than speculative risks.
• KEV remediation should override other vulnerability prioritization methods because documented threats take precedence over potential threats in operational environments.
• Organizations that consistently remediate KEV vulnerabilities eliminate confirmed attack vectors and demonstrate measurable risk reduction to stakeholders.
• The catalog serves as both a technical remediation guide and a business governance tool for measuring cybersecurity effectiveness against real-world threats.
• Continuous Surface Reduction (CSR): Every Surface Eliminated • Vulnerability Surface Deduction (VSD) Domain Operations • Real-time Governance Automation (RGA) Frameworks • CVSS vs. EPSS: Understanding Vulnerability Scoring Systems • Federal Cybersecurity Compliance for Critical Infrastructure
• Cybersecurity and Infrastructure Security Agency. "Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities." November 3, 2021.
• National Institute of Standards and Technology. "Guide for Conducting Risk Assessments." NIST Special Publication 800-30 Rev. 1, September 2012.
• MITRE Corporation. "Common Vulnerabilities and Exposures (CVE) Program." CVE Program Documentation, 2023.
• Cybersecurity and Infrastructure Security Agency. "Known Exploited Vulnerabilities Catalog Documentation." CISA.gov, continuously updated.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.