CISA Known Exploited Vulnerabilities (KEV) Catalog.

A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal. It belongs to the Vulnerabilities category of cybersecurity.

A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.

The CISA Known Exploited Vulnerabilities (KEV) Catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities for which CISA has credible evidence of active in-the-wild exploitation. KEV launched in November 2021 under Binding Operational Directive 22-01, which makes remediation of listed CVEs mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies within a stated deadline (typically two to three weeks). Each entry includes the CVE, product, short description, required action, due date, and the date added. By 2025 the catalog held over 1,300 CVEs across operating systems, network appliances, VPNs, RMM, productivity software, and ICS. Despite its formal scope being U.S. federal, KEV has become the de facto cross-industry prioritization signal — many enterprise vulnerability-management programs and cyber insurers treat KEV inclusion as a 'patch immediately' marker, and many ASPM/CSPM platforms surface KEV status alongside EPSS, CVSS, and reachability data. KEV is widely paired with the EPSS score (Exploit Prediction Scoring System) for risk-based vulnerability management.

Defences for CISA Known Exploited Vulnerabilities (KEV) Catalog typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: KEV, Known Exploited Vulnerabilities.