CISA KEV Catalog

The authoritative source for vulnerabilities that have been exploited in the wild

What is the KEV Catalog?

Maintained by the Cybersecurity and Infrastructure Security Agency (CISA), the Known Exploited Vulnerabilities (KEV) Catalog is a dynamic list of CVEs that carry significant risk to the federal enterprise.

Unlike other vulnerability databases that list all theoretical risks, the KEV Catalog answers a critical question: "Which vulnerabilities are attackers actually using right now?"

If a vulnerability is in the KEV Catalog, it means unauthorized parties are actively exploiting it in the wild to compromise systems.

Criteria for Inclusion

Not every vulnerability makes it into the catalog. CISA uses three strict criteria to determine inclusion:

1

Assigned CVE ID

The vulnerability must have a valid Common Vulnerabilities and Exposures (CVE) ID.

2

Active Exploitation

There must be reliable evidence that the vulnerability has been actively exploited in the wild.

3

Clear Remediation

There must be a clear remediation action, such as a vendor patch or mitigation instruction.

The Mandatory Directive

The KEV catalog is the centerpiece of Binding Operational Directive (BOD) 22-01, issued by CISA in November 2021.

For Federal Agencies

Federal Civilian Executive Branch (FCEB) agencies are legally required to remediate vulnerabilities listed in the KEV catalog within specific timeframes (usually 14 or 21 days).

For Everyone Else

While not mandatory for private organizations, CISA heavily recommends that all stakeholders use the KEV catalog as a primary input for vulnerability management prioritization.

Using KEV Effectively

Why Prioritize KEV?

  • Reduces attack surface against active threats
  • Data-driven prioritization over theoretical risk
  • Simplifies decision making for security teams

Recommended Workflow

  1. Ingest the KEV catalog into your vulnerability management tools.
  2. Scan your environment for any KEV-listed CVEs.
  3. Prioritize remediation of these CVEs above others, even those with higher CVSS scores.
  4. Subscribe to CISA alerts to stay updated on new additions.

Check if your systems are at risk from known exploits

Search KEV Vulnerabilities

* Our database is automatically synced with the CISA KEV catalog