CISA Known Exploited Vulnerabilities (KEV) Catalog
Qu'est-ce que CISA Known Exploited Vulnerabilities (KEV) Catalog ?
CISA Known Exploited Vulnerabilities (KEV) CatalogA U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.
The CISA Known Exploited Vulnerabilities (KEV) Catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities for which CISA has credible evidence of active in-the-wild exploitation. KEV launched in November 2021 under Binding Operational Directive 22-01, which makes remediation of listed CVEs mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies within a stated deadline (typically two to three weeks). Each entry includes the CVE, product, short description, required action, due date, and the date added. By 2025 the catalog held over 1,300 CVEs across operating systems, network appliances, VPNs, RMM, productivity software, and ICS. Despite its formal scope being U.S. federal, KEV has become the de facto cross-industry prioritization signal — many enterprise vulnerability-management programs and cyber insurers treat KEV inclusion as a 'patch immediately' marker, and many ASPM/CSPM platforms surface KEV status alongside EPSS, CVSS, and reachability data. KEV is widely paired with the EPSS score (Exploit Prediction Scoring System) for risk-based vulnerability management.
● Exemples
- 01
A FortiManager 'FortiJump' CVE-2024-47575 is added to KEV the day Mandiant publishes the post; FCEB agencies have a strict deadline to patch.
- 02
An enterprise patch prioritization policy mandates remediation of any KEV-listed CVE within seven days, regardless of CVSS, EPSS, or asset criticality.
● Questions fréquentes
Qu'est-ce que CISA Known Exploited Vulnerabilities (KEV) Catalog ?
A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal. Cette notion relève de la catégorie Vulnérabilités en cybersécurité.
Que signifie CISA Known Exploited Vulnerabilities (KEV) Catalog ?
A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.
Comment fonctionne CISA Known Exploited Vulnerabilities (KEV) Catalog ?
The CISA Known Exploited Vulnerabilities (KEV) Catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities for which CISA has credible evidence of active in-the-wild exploitation. KEV launched in November 2021 under Binding Operational Directive 22-01, which makes remediation of listed CVEs mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies within a stated deadline (typically two to three weeks). Each entry includes the CVE, product, short description, required action, due date, and the date added. By 2025 the catalog held over 1,300 CVEs across operating systems, network appliances, VPNs, RMM, productivity software, and ICS. Despite its formal scope being U.S. federal, KEV has become the de facto cross-industry prioritization signal — many enterprise vulnerability-management programs and cyber insurers treat KEV inclusion as a 'patch immediately' marker, and many ASPM/CSPM platforms surface KEV status alongside EPSS, CVSS, and reachability data. KEV is widely paired with the EPSS score (Exploit Prediction Scoring System) for risk-based vulnerability management.
Comment se défendre contre CISA Known Exploited Vulnerabilities (KEV) Catalog ?
Les défenses contre CISA Known Exploited Vulnerabilities (KEV) Catalog combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de CISA Known Exploited Vulnerabilities (KEV) Catalog ?
Noms alternatifs courants : KEV, Known Exploited Vulnerabilities.
● Termes liés
- vulnerabilities№ 663
Vulnérabilité activement exploitée (KEV)
CVE que la CISA américaine confirme comme étant activement exploitée et ajoute à son catalogue public KEV, déclenchant des délais de remédiation pour les agences fédérales.
- vulnerabilities№ 285
CVE (Common Vulnerabilities and Exposures)
Catalogue public attribuant un identifiant unique à chaque vulnérabilité divulguée afin de la référencer sans ambiguïté dans toute l'industrie.
- vulnerabilities№ 287
CVSS (Common Vulnerability Scoring System)
Cadre ouvert, maintenu par le FIRST, qui produit un score de gravité 0–10 pour une vulnérabilité selon ses caractéristiques d'exploitation et son impact.
- vulnerabilities№ 428
EPSS (Exploit Prediction Scoring System)
Modèle basé sur les données, maintenu par le FIRST, estimant la probabilité qu'une CVE soit exploitée dans la nature au cours des 30 prochains jours.
- vulnerabilities№ 1343
Vulnérabilité
Faiblesse d'un système, d'une application ou d'un processus qu'un attaquant peut exploiter pour porter atteinte à la confidentialité, l'intégrité ou la disponibilité.
- defense-ops№ 1345
Analyse de vulnérabilités
Processus automatisé qui sonde systèmes, applications ou conteneurs au regard de signatures de vulnérabilités connues pour produire une liste de faiblesses potentielles.