In depth
The CISA Known Exploited Vulnerabilities (KEV) catalog is the US Cybersecurity and Infrastructure Security Agency's curated list of vulnerabilities that have been confirmed exploited in the wild. Each entry includes the CVE ID, the affected vendor and product, a short description, the date added, the action required (typically "apply vendor patch"), and the due date by which US federal civilian agencies are required to remediate under Binding Operational Directive 22-01. The catalog is published as a free JSON feed and updated as new exploitation evidence emerges, typically several times per week.
KEV is the most operationally useful free vulnerability-prioritisation signal available. Where CVSS rates intrinsic severity and EPSS estimates exploitation likelihood, KEV is the binary signal: this vulnerability is being exploited right now. Industry data consistently shows that KEV-listed CVEs are 50-1000x more likely to be exploited against an organisation than non-KEV CVEs of equivalent CVSS. For any organisation, the KEV catalog is the right "patch immediately" list regardless of which sector they are in or whether they have a federal-compliance obligation.
The KEV inclusion criteria are deliberately strict. A vulnerability is added only when CISA has reliable evidence of active exploitation — incident reports from federal agencies, threat-intelligence vendor telemetry, exploitation observed against honeypots, or credible reporting from security researchers. CVSS score and CVE age are explicitly not criteria; some KEV entries have CVSS in the medium range, and entries dating back to 2010 still appear when new exploitation activity is observed.
The KEV catalog has become the operational bedrock of modern vulnerability-management programmes. Mature programmes ingest the KEV feed, cross-reference it against their SBOM nightly, escalate any matches to a same-day patching workflow, and report KEV exposure as a board-level metric. Coupled with EPSS for the "likely to be exploited soon" predictive signal, KEV closes the loop on "what do we patch first." See VAPT services and supply chain attacks 2026.
KEV is the most operationally useful free vulnerability-prioritisation signal available. Where CVSS rates intrinsic severity and EPSS estimates exploitation likelihood, KEV is the binary signal: this vulnerability is being exploited right now. Industry data consistently shows that KEV-listed CVEs are 50-1000x more likely to be exploited against an organisation than non-KEV CVEs of equivalent CVSS. For any organisation, the KEV catalog is the right "patch immediately" list regardless of which sector they are in or whether they have a federal-compliance obligation.
The KEV inclusion criteria are deliberately strict. A vulnerability is added only when CISA has reliable evidence of active exploitation — incident reports from federal agencies, threat-intelligence vendor telemetry, exploitation observed against honeypots, or credible reporting from security researchers. CVSS score and CVE age are explicitly not criteria; some KEV entries have CVSS in the medium range, and entries dating back to 2010 still appear when new exploitation activity is observed.
The KEV catalog has become the operational bedrock of modern vulnerability-management programmes. Mature programmes ingest the KEV feed, cross-reference it against their SBOM nightly, escalate any matches to a same-day patching workflow, and report KEV exposure as a board-level metric. Coupled with EPSS for the "likely to be exploited soon" predictive signal, KEV closes the loop on "what do we patch first." See VAPT services and supply chain attacks 2026.