Understanding KEV: CISA's Known Exploited Vulnerabilities Catalog

There are 270,000+ CVEs in the National Vulnerability Database. Your scanner just found 500 of them in your environment. Which ones are actual emergencies?

The answer: check the KEV.

What Is the KEV Catalog?

The KEV (Known Exploited Vulnerabilities) catalog is maintained by CISA (Cybersecurity and Infrastructure Security Agency). It lists vulnerabilities with confirmed evidence of active exploitation — not theoretical risk, not proof-of-concepts, but real attacks happening right now.

As of 2026, the KEV catalog contains 1,200+ entries. That might sound like a lot, but compared to 270,000+ total CVEs, it's 0.4%. These are the vulnerabilities that actually matter.

KEV Entry Requirements

For a CVE to be added to KEV, it must meet all three criteria:

Assigned a CVE ID — It must be in the NVD

Active exploitation evidence — CISA has reliable evidence that the vulnerability is being exploited in the wild

Clear remediation action — A patch, mitigation, or workaround exists

The third criterion is important — CISA won't add a vulnerability to KEV if there's nothing you can do about it.

Why KEV Matters More Than CVSS

| Metric | What It Tells You |

|--------|-------------------|

| CVSS 9.8 | "This COULD be very bad" |

| KEV Listed | "This IS being used to attack organizations right now" |

CVSS is theoretical. KEV is empirical. A CVSS 6.5 vulnerability on the KEV list is more dangerous than a CVSS 9.8 vulnerability that nobody knows how to exploit.

The Numbers

Research from Mandiant and FIRST shows:

Only ~5% of all CVEs are ever exploited in the wild

Of those, only ~2% are exploited at scale

KEV captures the most impactful subset of actively exploited vulnerabilities

Organizations that prioritize KEV remediation reduce their attack surface significantly more than those using CVSS alone

KEV → BOD 22-01: The Legal Mandate

For federal agencies, KEV isn't optional. CISA's Binding Operational Directive 22-01 requires:

Federal civilian agencies MUST remediate KEV entries within the specified timeframe

Typical deadline: 2 weeks for internet-facing, 4 weeks for internal systems

Non-compliance is reported and escalated

While BOD 22-01 only legally applies to federal agencies, CISA strongly recommends all organizations use KEV as their primary prioritization source. Many enterprise security teams now treat KEV as mandatory.

How to Use KEV in Your Workflow

Step 1: Monitor the Catalog Daily

The KEV catalog is updated multiple times per week. New entries mean new active threats. Monitor via:

CISA RSS feed — https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

Vulnios Radar — Automatic KEV flag on matching CVEs in your watchlists

API — JSON download for programmatic consumption

Step 2: Cross-Reference Your Scan Results

When a KEV entry matches a CVE in your environment:

Escalate immediately — This is a Priority 1 finding

Verify exposure — Is the affected component internet-facing?

Apply the fix — Patch, update, or apply the documented mitigation

Report — Document the finding, remediation action, and timeline

Step 3: Set SLAs Based on KEV

| Finding Category | Remediation SLA |

|-----------------|-----------------|

| On KEV + internet-facing | 48 hours |

| On KEV + internal | 7 days |

| EPSS > 10% (not on KEV yet) | 14 days |

| High CVSS, low EPSS, no KEV | 30 days |

Step 4: Report to Leadership

KEV provides a defensible, government-backed framework for prioritization decisions. When your CISO asks "why didn't we patch that 9.8?", you can point to KEV-based prioritization:

"We patched 15 KEV-listed CVEs with confirmed exploitation in week 1. The CVSS 9.8 with 0.03% EPSS and no KEV listing was scheduled for week 3 per our risk-based SLA policy."

Top KEV Entry Patterns

Looking at the catalog reveals clear patterns:

Most Common Product Categories

Network devices — Firewalls, VPNs, routers (Cisco, Fortinet, Palo Alto)

Web frameworks — Apache, Microsoft Exchange, WordPress plugins

Operating systems — Windows privilege escalation, Linux kernel

Enterprise software — VMware, Atlassian, Citrix

Attack Vectors

Remote code execution — ~60% of KEV entries

Privilege escalation — ~20% of KEV entries

Authentication bypass — ~10% of KEV entries

Information disclosure — ~10% of KEV entries

Timing

Average: CVE published → KEV addition: 8 weeks

Fastest: Same day (zero-day actively exploited at disclosure)

Some CVEs are years old when added — exploitation can start long after disclosure

How Vulnios Implements KEV

Vulnios integrates KEV data throughout the platform:

Vulnerability Radar — Every CVE displays KEV status with the CISA deadline. KEV-listed CVEs are visually flagged and sorted to the top.

Scan Findings — When a scan finding matches a KEV entry, it's automatically escalated to Priority 1 regardless of CVSS score.

Alerts — Watchlist alerts include KEV status. Get notified immediately when a CVE matching your stack is added to KEV.

Reports — Compliance reports include a dedicated KEV section showing which KEV vulnerabilities were found and their remediation status.

Getting Started

Sign up at vulnios.com — Vulnerability Radar includes KEV integration

Create watchlists for your technology stack

Enable KEV alerts — Get notified when your products appear on KEV

Track remediation — Document your response to KEV findings

---

Monitor KEV in real time at vulnios.com. Automatic KEV matching, EPSS correlation, and compliance-ready reporting.