CISA Known Exploited Vulnerabilities (KEV) Catalog.

A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal. サイバーセキュリティの 脆弱性 カテゴリに属します。

A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.

The CISA Known Exploited Vulnerabilities (KEV) Catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities for which CISA has credible evidence of active in-the-wild exploitation. KEV launched in November 2021 under Binding Operational Directive 22-01, which makes remediation of listed CVEs mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies within a stated deadline (typically two to three weeks). Each entry includes the CVE, product, short description, required action, due date, and the date added. By 2025 the catalog held over 1,300 CVEs across operating systems, network appliances, VPNs, RMM, productivity software, and ICS. Despite its formal scope being U.S. federal, KEV has become the de facto cross-industry prioritization signal — many enterprise vulnerability-management programs and cyber insurers treat KEV inclusion as a 'patch immediately' marker, and many ASPM/CSPM platforms surface KEV status alongside EPSS, CVSS, and reachability data. KEV is widely paired with the EPSS score (Exploit Prediction Scoring System) for risk-based vulnerability management.

CISA Known Exploited Vulnerabilities (KEV) Catalog に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: KEV, Known Exploited Vulnerabilities。