Press TechRound interviews Secure.com CEO on the future of AI security
Read
Published: June 10, 2026 6 min read

What is Known Exploited Vulnerabilities (KEV)?

Learn what the Known Exploited Vulnerabilities (KEV) catalog is, how it helps organizations prioritize remediation.

By Secure.com

Vulnerability management has long been one of the most challenging disciplines in cybersecurity. Organizations routinely face tens of thousands of disclosed vulnerabilities each year, with over 29,000 CVEs published in 2023 alone. Traditional approaches that rely solely on CVSS severity scores often leave security teams overwhelmed, struggling to distinguish between vulnerabilities that pose theoretical risk and those actively being weaponized by threat actors.

The Known Exploited Vulnerabilities (KEV) catalog, maintained by the Cybersecurity and Infrastructure Security Agency (CISA), directly addresses this challenge. By cataloging vulnerabilities with confirmed active exploitation in the wild, KEV provides an authoritative, evidence-based foundation for prioritizing remediation efforts. Rather than treating all critical-severity vulnerabilities equally, organizations can focus resources on the threats that attackers are actually using right now.

This threat-informed approach to vulnerability management has rapidly become a cornerstone of modern cybersecurity strategy, adopted not only by U.S. federal agencies under binding directive but by private-sector organizations worldwide seeking to reduce real-world risk.

What Is the Known Exploited Vulnerabilities (KEV) Catalog?

The Known Exploited Vulnerabilities catalog is a publicly available, continuously updated list of CVEs that CISA has confirmed are being actively exploited by threat actors. Established in November 2021 through Binding Operational Directive (BOD) 22-01, the catalog serves as the authoritative source for identifying vulnerabilities that pose the most immediate and tangible risk to organizations.

For a vulnerability to be added to the KEV catalog, it must meet three criteria:

  • It has been assigned a CVE identifier.
  • There is reliable evidence of active exploitation in the wild.
  • A clear remediation action, such as a vendor-provided patch or documented mitigation, exists.

As of 2024, the catalog contains over 1,100 entries spanning operating systems, network devices, web applications, cloud platforms, and widely deployed enterprise software. While BOD 22-01 mandates federal civilian executive branch agencies to remediate KEV entries within prescribed timelines, CISA strongly recommends that all organizations, public and private, use the catalog as a prioritization tool.

How the KEV Catalog Works

Vulnerability Identification and Validation

CISA continuously monitors threat intelligence sources, incident reports, vendor advisories, and security research to identify vulnerabilities with confirmed exploitation activity. Each candidate undergoes validation to ensure the evidence of active exploitation is credible and documented before inclusion.

Catalog Publication and Updates

Once validated, vulnerabilities are added to the publicly accessible KEV catalog, which is updated on a rolling basis. Each entry includes the CVE identifier, vendor and product information, a description of the vulnerability, the date added, and the required remediation deadline for federal agencies.

Remediation Timelines

BOD 22-01 establishes specific remediation timelines for federal agencies, typically 14 days for internet-facing vulnerabilities and longer windows for internal systems. Private-sector organizations can adopt similar timelines aligned with their risk tolerance and operational constraints.

Integration with Vulnerability Management Programs

Organizations integrate the KEV catalog into their existing vulnerability management workflows by cross-referencing scan results, asset inventories, and patch management systems against KEV entries. This enables automated prioritization, ensuring that actively exploited vulnerabilities are flagged for immediate remediation regardless of their CVSS score.

Key Characteristics of the KEV Catalog

  • Evidence-based prioritization: Every KEV entry is backed by confirmed active exploitation, eliminating guesswork and enabling organizations to focus on threats with demonstrated real-world impact.
  • Publicly accessible and vendor-neutral: The catalog is freely available and covers vulnerabilities across all vendors, platforms, and technologies, making it a universal prioritization resource.
  • Continuously updated: Unlike static annual reports, the KEV catalog is updated as new exploitation activity is confirmed, providing near-real-time threat intelligence.
  • Actionable by design: Each entry requires that a known remediation path exists, ensuring organizations can act immediately upon identification.
  • Compliance alignment: The KEV catalog supports compliance with frameworks including NIST Cybersecurity Framework, ISO 27001, PCI DSS, and HIPAA by providing documented evidence of risk-based vulnerability prioritization.

Applications and Business Impact of the KEV Catalog

  • Vulnerability prioritization: Organizations use KEV to cut through the noise of thousands of CVEs and focus patching efforts on vulnerabilities that attackers are actively targeting. Research from Gartner emphasizes that fewer than 10 percent of published vulnerabilities are ever exploited in the wild, making this prioritization critical.
  • Risk-based decision making: By aligning remediation with confirmed threat activity, security leaders can communicate risk to executives and boards in concrete, defensible terms.
  • Regulatory and compliance support: Federal agencies must comply with BOD 22-01, while private-sector organizations demonstrate due diligence by incorporating KEV into their vulnerability management programs during audits and compliance assessments.
  • Threat intelligence enrichment: KEV data enriches existing security operations by providing context that enhances SIEM alerts, threat hunting, and incident response workflows.
  • Supply chain risk management: Organizations can assess third-party and vendor risk by evaluating exposure to KEV-listed vulnerabilities across their supply chain.

Challenges and Limitations of the KEV Catalog

  • Coverage gaps: The catalog only includes vulnerabilities with confirmed exploitation evidence and available remediation. Zero-day vulnerabilities being exploited without public disclosure or vendor patches may not appear immediately.
  • Lag in inclusion: There can be a delay between initial exploitation activity and formal addition to the catalog, during which organizations remain exposed if they rely solely on KEV for prioritization.
  • Not a complete vulnerability management strategy: KEV addresses the highest-priority threats but does not replace comprehensive vulnerability scanning, risk assessment, and defense-in-depth practices.
  • Remediation feasibility: Some organizations, particularly those with legacy systems or operational technology environments, may face significant challenges meeting aggressive remediation timelines due to system dependencies, change management requirements, or lack of vendor support.
  • Over-reliance risk: Using KEV as the sole prioritization mechanism may cause organizations to deprioritize vulnerabilities that, while not yet actively exploited, could be weaponized in the near future.

The Future of the KEV Catalog

As the threat landscape accelerates, the KEV catalog is evolving from a static list into a dynamic intelligence feed integrated into automated security workflows. CISA continues expanding the catalog and improving the speed of inclusion as exploitation intelligence matures.

Future developments are likely to include deeper integration with automated patch management platforms, SOAR systems, and continuous threat exposure management (CTEM) programs. Machine learning and predictive analytics may complement the catalog by identifying vulnerabilities at high risk of imminent exploitation, enabling preemptive action before active exploitation is confirmed.

The broader adoption of threat-informed defense models, aligned with frameworks like MITRE ATT&CK, will further position KEV as a foundational element of risk-based vulnerability management across both public and private sectors globally.

Conclusion

The Known Exploited Vulnerabilities catalog represents a fundamental shift in how organizations approach vulnerability management. By grounding prioritization in confirmed exploitation activity rather than theoretical severity scores, KEV enables security teams to allocate limited resources where they will have the greatest impact on reducing real-world risk.

While the catalog is not a substitute for a comprehensive vulnerability management program, it provides an indispensable prioritization layer that bridges the gap between raw vulnerability data and actionable, threat-informed remediation. In an environment where attackers weaponize vulnerabilities faster than most organizations can patch, leveraging the KEV catalog is no longer optional for any organization serious about proactive cybersecurity defense.

Other Terms