CISA Known Exploited Vulnerabilities (KEV) Catalog.

A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal. Es gehört zur Kategorie Schwachstellen der Cybersicherheit.

A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.

The CISA Known Exploited Vulnerabilities (KEV) Catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities for which CISA has credible evidence of active in-the-wild exploitation. KEV launched in November 2021 under Binding Operational Directive 22-01, which makes remediation of listed CVEs mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies within a stated deadline (typically two to three weeks). Each entry includes the CVE, product, short description, required action, due date, and the date added. By 2025 the catalog held over 1,300 CVEs across operating systems, network appliances, VPNs, RMM, productivity software, and ICS. Despite its formal scope being U.S. federal, KEV has become the de facto cross-industry prioritization signal — many enterprise vulnerability-management programs and cyber insurers treat KEV inclusion as a 'patch immediately' marker, and many ASPM/CSPM platforms surface KEV status alongside EPSS, CVSS, and reachability data. KEV is widely paired with the EPSS score (Exploit Prediction Scoring System) for risk-based vulnerability management.

Schutzmaßnahmen gegen CISA Known Exploited Vulnerabilities (KEV) Catalog kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: KEV, Known Exploited Vulnerabilities.