Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 197

CISA Known Exploited Vulnerabilities (KEV) Catalog

Reviewed byCybersecurity entrepreneur & security researcher

What is CISA Known Exploited Vulnerabilities (KEV) Catalog?

CISA Known Exploited Vulnerabilities (KEV) CatalogA U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.


The CISA Known Exploited Vulnerabilities (KEV) Catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities for which CISA has credible evidence of active in-the-wild exploitation. KEV launched in November 2021 under Binding Operational Directive 22-01, which makes remediation of listed CVEs mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies within a stated deadline (typically two to three weeks). Each entry includes the CVE, vendor/product, short description, required action, due date, the date added, and — since 2024 — a flag for whether the flaw is known to be used in ransomware campaigns.

Inclusion criteria are deliberately strict: a CVE is added only when it has an assigned CVE ID, there is reliable evidence of active exploitation (not merely a public proof-of-concept or scanning), and a clear remediation such as a vendor patch exists. This bar is what makes KEV valuable — it filters the ~40,000 CVEs published yearly down to the small fraction attackers actually weaponise. The catalog grew from 1,239 entries at the end of 2024 to 1,484 by the end of 2025 (245 added that year, a ~20% rise), spanning operating systems, network appliances, VPNs, RMM tools, productivity software, browsers, and ICS. Fast-moving edge-device zero-days like PAN-OS CVE-2024-3400 and the Ivanti Connect Secure chain (CVE-2023-46805 + CVE-2024-21887) were added within days of public disclosure.

Despite its formal U.S.-federal scope, KEV has become the de facto cross-industry prioritization signal — enterprise vulnerability-management programs and cyber insurers treat KEV inclusion as a "patch immediately" marker, and ASPM/CSPM platforms surface KEV status alongside CVSS severity, EPSS (Exploit Prediction Scoring System) probability, and code reachability. Consuming the machine-readable JSON/CSV feed lets teams automatically escalate any asset running a KEV-listed product.

flowchart TD
  A[New CVE published] --> B{Meets all 3 KEV criteria?}
  B --> C[Assigned CVE ID]
  B --> D[Reliable evidence of active exploitation]
  B --> E[Clear remediation available]
  C & D & E -->|All yes| F[Added to KEV Catalog]
  B -->|Any no e.g. PoC only| G[Not added]
  F --> H[BOD 22-01: FCEB deadline set]
  F --> I[Enterprises + insurers treat as patch now]
  F --> J[Feeds ASPM/CSPM with EPSS + CVSS + reachability]
  style F fill:#27ae60,color:#fff
  style G fill:#7f8c8d,color:#fff

Examples

  1. 01

    A FortiManager 'FortiJump' CVE-2024-47575 is added to KEV the day Mandiant publishes the post; FCEB agencies have a strict deadline to patch.

  2. 02

    An enterprise patch prioritization policy mandates remediation of any KEV-listed CVE within seven days, regardless of CVSS, EPSS, or asset criticality.

Frequently asked questions

What is CISA Known Exploited Vulnerabilities (KEV) Catalog?

A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal. It belongs to the Vulnerabilities category of cybersecurity.

What does CISA Known Exploited Vulnerabilities (KEV) Catalog mean?

A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.

How do you defend against CISA Known Exploited Vulnerabilities (KEV) Catalog?

Defences for CISA Known Exploited Vulnerabilities (KEV) Catalog typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for CISA Known Exploited Vulnerabilities (KEV) Catalog?

Common alternative names include: KEV, Known Exploited Vulnerabilities.

Related terms

See also