TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Vulnerabilities

What Is the CISA KEV Catalog? Known Exploited Vulnerabilities

Tens of thousands of vulnerabilities are published yearly, but only a fraction are actually exploited. The CISA KEV catalog is the authoritative list of which ones — making it the ultimate patch-first signal.

By TI News Feed Editorial Team7 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

The CISA KEV catalog — the Known Exploited Vulnerabilities catalog — is an authoritative, continuously updated list of vulnerabilities that have been confirmed to be actively exploited in the wild. It's maintained by CISA, the U.S. Cybersecurity and Infrastructure Security Agency. While tens of thousands of new CVEs are published every year, only a small fraction are ever actually used by attackers. The KEV catalog cuts through that noise by answering the single most important question in vulnerability management: which vulnerabilities are attackers really exploiting right now? If a flaw is on the KEV list, it's not theoretical — it's being weaponized.

In short: the KEV catalog is the "patch these first, no debate" list. It turns the overwhelming flood of vulnerabilities into a focused set of confirmed, real-world threats.

Why the KEV catalog exists

For years, organizations prioritized patching primarily by CVSS severity scores. But severity measures potential impact, not whether anyone is actually exploiting a flaw — and many "critical" vulnerabilities are never weaponized, while some "medium" ones are exploited within days. This led teams to waste effort on high-scoring flaws that posed little real-world risk while genuine threats hid among lower scores. CISA created the KEV catalog to provide a clear, evidence-based signal of real exploitation, so defenders could focus their limited time on the vulnerabilities that demonstrably matter.

How a vulnerability gets added

CISA adds a CVE to the KEV catalog only when it meets three strict criteria:

  1. It has an assigned CVE ID — it's a formally identified, recognized vulnerability.
  2. There is reliable evidence of active exploitation in the wild — not just a proof-of-concept or theoretical risk, but confirmed real-world attacks.
  3. There is clear remediation guidance, such as a vendor patch or a defined mitigation, so organizations can actually act.

This high bar is what makes the catalog trustworthy: every entry represents a vulnerability that is genuinely being exploited and that you can do something about.

What each entry includes

Each KEV entry provides the CVE ID, the affected vendor and product, a short description, the date it was added, the required remediation action, and a due date by which it should be fixed. That due date ties into the catalog's regulatory weight.

The federal mandate — and why everyone uses it

The KEV catalog underpins a binding U.S. directive (Binding Operational Directive 22-01) that requires federal civilian agencies to remediate KEV-listed vulnerabilities by their due dates. But its influence extends far beyond government. Because the catalog is a free, authoritative, evidence-based source of what's actually being exploited, organizations of every kind worldwide have adopted it as a top-priority patching signal. Many frame their own policy simply: anything on the KEV list gets patched first, period.

How to use the KEV catalog

  • Patch KEV-listed vulnerabilities first. Confirmed exploitation trumps everything — these belong at the very top of your remediation queue.
  • Cross-reference your assets. Match the catalog against your inventory to find which KEV vulnerabilities exist in your environment.
  • Integrate it into your tooling. Many vulnerability scanners and management platforms flag KEV-listed flaws automatically.
  • Combine it with other signals. Use KEV for confirmed exploitation, then EPSS for likelihood and CVSS for severity to prioritize everything not yet on the list.

KEV vs CVSS vs EPSS

These three work best together, each answering a different question. CVSS measures how severe a vulnerability is. EPSS predicts how likely it is to be exploited soon. KEV confirms what is being exploited right now. In a sound prioritization workflow, you patch KEV first (confirmed exploitation), then high-EPSS flaws (likely exploitation), then order the rest by CVSS severity and asset context. We cover this blend in depth in our guide to CVSS vs EPSS.

Limitations

The KEV catalog is invaluable but not complete. It only includes known exploitation, so a brand-new zero-day may be exploited before it appears. It's also inherently slightly lagging — a vulnerability has to be observed being exploited before it's added. So KEV is a powerful "must-patch" floor, not the entire picture: you still need broader vulnerability management and threat intelligence to catch what isn't yet listed.

How the KEV catalog changed vulnerability management

The KEV catalog has had an outsized influence on how organizations think about patching — far beyond the federal agencies legally bound to it. Before KEV, the dominant question was "how severe is this vulnerability?" KEV reframed it to "is this vulnerability actually being exploited?" — a shift from theoretical severity toward demonstrated, real-world risk. That reframing helped popularize the broader move to risk-based vulnerability management, where confirmed exploitation and likelihood matter as much as raw severity scores.

Practically, the catalog gave organizations of every size something they previously lacked: a free, trustworthy, vendor-neutral source of ground truth about exploitation, maintained by a government agency with broad visibility. Security teams use it to justify emergency patching to management ("this is on the federal must-patch list"), to set internal remediation SLAs ("KEV-listed flaws are patched within X days"), and to cut through vendor hype about which vulnerabilities truly demand urgent attention. In doing so, the KEV catalog has become one of the most widely referenced and operationally useful resources in all of cybersecurity — a rare example of a simple, well-curated list reshaping an entire discipline's priorities.

Where threat intelligence fits

The KEV catalog is essentially curated threat intelligence about exploitation. Pairing it with broader intelligence — early reporting on emerging exploitation, campaigns targeting your sector, and new zero-days — lets you act even before a vulnerability is formally added. Our live threat intelligence feed surfaces reporting on newly and actively exploited vulnerabilities, complementing the KEV catalog with real-time awareness.

The bottom line

The CISA KEV catalog is the authoritative list of vulnerabilities confirmed to be actively exploited in the wild, added only when there's a CVE, reliable evidence of exploitation, and clear remediation. It mandates patching for U.S. federal agencies and has become the world's go-to "patch-first" signal because it focuses scarce effort on real, demonstrated threats. Use it at the top of your prioritization — alongside EPSS, CVSS, and current intelligence to cover what it can't yet see.

Frequently asked questions

What is the CISA KEV catalog?

The CISA Known Exploited Vulnerabilities (KEV) catalog is an authoritative, continuously updated list of vulnerabilities confirmed to be actively exploited in the wild, maintained by the U.S. Cybersecurity and Infrastructure Security Agency. It identifies which of the many published vulnerabilities attackers are really using.

How does a vulnerability get added to the KEV catalog?

CISA adds a vulnerability only when it meets three criteria: it has an assigned CVE ID, there is reliable evidence of active exploitation in the wild (not just a proof-of-concept), and there is clear remediation guidance such as a vendor patch or defined mitigation.

Why is the KEV catalog important?

It cuts through the noise of tens of thousands of yearly CVEs by confirming which are actually being exploited, so teams can prioritize patching real threats over theoretical ones. It also underpins a binding U.S. federal directive and has become a global 'patch-first' standard.

What is the difference between KEV, CVSS, and EPSS?

CVSS measures how severe a vulnerability is, EPSS predicts how likely it is to be exploited soon, and KEV confirms what is being exploited right now. Best practice is to patch KEV-listed flaws first, then high-EPSS ones, then order the rest by CVSS severity and asset context.

Does the KEV catalog cover zero-days?

Only after exploitation is observed. The KEV catalog includes known exploitation, so a brand-new zero-day may be exploited before it's added, and the catalog is inherently slightly lagging. It's a powerful 'must-patch' floor but should be paired with broader vulnerability management and threat intelligence.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

VulnerabilitiesWhat Is a CVE? CVEs, CVSS and the KEV Catalog ExplainedVulnerabilitiesCVSS vs EPSS: How to Prioritize VulnerabilitiesVulnerabilitiesWhat Is Vulnerability Management? The Lifecycle & Process ExplainedVulnerabilitiesWhat Is a Zero-Day? Vulnerabilities, Exploits and Attacks