What Is a KEV? Understanding CISA's Known Exploited Vulnerabilities Catalog

A KEV (Known Exploited Vulnerability) is a vulnerability that has been confirmed as actively exploited in the wild. The CISA Known Exploited Vulnerabilities Catalog, maintained by the Cybersecurity and Infrastructure Security Agency, is the authoritative list of these vulnerabilities. Unlike CVE databases that catalog all publicly known flaws, or CVSS scores that estimate theoretical severity, the KEV catalog answers a more urgent question: is this vulnerability being exploited right now?

What Is the KEV Catalog?

The CISA KEV catalog is a curated list of CVE vulnerabilities that have reliable evidence of active exploitation. CISA launched the catalog in November 2021 alongside Binding Operational Directive (BOD) 22-01, which requires U.S. federal civilian executive branch (FCEB) agencies to remediate KEV-listed vulnerabilities within specified timeframes.

As of early 2026, the KEV catalog contains nearly 1,500 entries. New vulnerabilities are added as CISA confirms evidence of exploitation, and each entry includes:

• CVE ID identifying the vulnerability
• Vendor and product affected
• Vulnerability name and description
• Date added to the catalog
• Due date for federal agency remediation
• Required action (typically “Apply updates per vendor instructions”)
• Known ransomware campaign use (yes/no flag)

The catalog is freely available as a JSON feed, a CSV download, and through the CISA website.

KEV vs. CVE vs. CVSS: How They Work Together

These three systems are complementary, not competing. Each answers a different question in the vulnerability management process.

A CVE tells you a vulnerability exists. CVSS tells you how bad it could be. KEV tells you it is being exploited. Effective vulnerability prioritization uses all three signals together.

Consider two vulnerabilities, both with CVSS scores of 9.8 (Critical). One is listed in the KEV catalog; the other is not. The KEV-listed vulnerability should be patched first because there is confirmed evidence that attackers are actively exploiting it, whereas the other, while theoretically severe, may not have working exploits in circulation.

Binding Operational Directive 22-01

BOD 22-01 (“Reducing the Significant Risk of Known Exploited Vulnerabilities”) is the CISA directive that established the KEV catalog’s operational role. It requires FCEB agencies to:

1. Review the KEV catalog on an ongoing basis
2. Remediate each KEV vulnerability by the due date specified in the catalog
3. Report their remediation status to CISA

While BOD 22-01 only legally binds federal civilian agencies, CISA strongly recommends that all organizations — including state and local governments, critical infrastructure operators, and private sector companies — use the KEV catalog as a prioritization input for their vulnerability management programs.

The remediation timelines in BOD 22-01 are aggressive. Newly added KEVs typically have due dates of two to three weeks from the date of addition. This reflects the urgency: if a vulnerability is being actively exploited, delayed patching means continued exposure.

How the KEV Catalog Is Maintained

CISA adds vulnerabilities to the KEV catalog based on three criteria, all of which must be met:

1. The vulnerability has an assigned CVE ID. Only cataloged vulnerabilities with standard identifiers qualify.
2. There is reliable evidence of active exploitation. This evidence may come from CISA’s own threat intelligence, reports from federal agencies, industry partners, or trusted cybersecurity organizations.
3. A clear remediation action exists. Typically this means a vendor patch or mitigation is available. CISA does not add vulnerabilities for which there is no known fix, as doing so would disclose exploited flaws without offering a path to resolution.

Vulnerabilities are rarely removed from the KEV catalog once added — even after the remediation deadline passes. While CISA has removed entries in rare cases where evidence of exploitation was later found insufficient, the catalog serves primarily as a persistent historical record of exploitation activity.

Using the KEV Catalog for Patch Prioritization

Most organizations face far more vulnerabilities than they can patch simultaneously. The KEV catalog provides a practical prioritization signal that cuts through the noise.

A Prioritization Framework

A common approach combines CVSS severity with KEV status and deployment context:

1. Critical + KEV-listed + Internet-facing — Patch immediately (within 24-48 hours)
2. Critical + KEV-listed + Internal — Patch within the BOD 22-01 deadline (typically 2-3 weeks)
3. Critical + Not KEV-listed — Patch within standard SLA (typically 30 days)
4. High + KEV-listed — Treat as critical; patch within 2-3 weeks
5. High + Not KEV-listed — Patch within standard SLA
6. Medium/Low + Not KEV-listed — Schedule for regular maintenance windows

This framework is a starting point. Organizations should adjust based on their risk tolerance, asset criticality, and compensating controls.

The Ransomware Flag

Since October 2023, CISA has included a “Known Ransomware Campaign Use” flag in KEV entries, as part of its Ransomware Vulnerability Warning Pilot (RVWP). This binary indicator (yes/no) signals whether the vulnerability has been used in ransomware operations. Vulnerabilities flagged for ransomware use warrant heightened urgency due to the potential for data encryption and operational disruption.

KEV and SBOMs: Automated Monitoring

The real power of the KEV catalog emerges when combined with SBOMs. An SBOM provides a machine-readable inventory of every component in your software. The KEV catalog provides a machine-readable list of actively exploited vulnerabilities. Connecting the two creates automated, continuous monitoring.

How It Works

1. Generate SBOMs for all your applications using tools from our SBOM generation guides
2. Ingest SBOMs into a management platform such as sbomify or OWASP Dependency-Track
3. Run vulnerability analysis — tools like Google OSV and Dependency-Track identify known CVEs in your SBOM components
4. Cross-reference with KEV — check which of those CVEs appear in the KEV catalog to identify actively exploited vulnerabilities
5. Prioritize remediation using the KEV due date and your deployment context

Because CISA adds new KEVs multiple times per week, building this cross-referencing into your workflow is important. The KEV catalog’s machine-readable formats make this feasible to automate.

Integration Points

Several tools and data sources support KEV-SBOM workflows:

• CISA KEV JSON feed — Machine-readable, updated as new KEVs are added
• sbomify — SBOM management platform with vulnerability analysis via Google OSV integration
• OWASP Dependency-Track — Ingests SBOMs and performs vulnerability analysis using multiple data sources
• Grype — Command-line vulnerability scanner that can match against vulnerability data
• OSV — Google’s open source vulnerability database

For a comprehensive list of analysis tools, see our SBOM resources page.

KEV in the Compliance Context

The KEV catalog intersects with several compliance frameworks:

• Executive Order 14028 directs agencies to improve vulnerability management, and KEV provides the prioritization mechanism.
• CISA minimum elements recommend unique identifiers (like purl or CPE) in SBOMs, enabling automated matching against KEV entries.
• NIST SP 800-53 SI-5 requires receiving and acting on security alerts and advisories — the KEV catalog is a primary source for this control.
• EU CRA requires vulnerability handling processes, and KEV status is a valuable input for prioritizing which vulnerabilities to address first.

Frequently Asked Questions

What is a KEV?

A KEV (Known Exploited Vulnerability) is a CVE vulnerability that CISA has confirmed is being actively exploited in real-world attacks. The CISA KEV catalog lists these vulnerabilities along with remediation deadlines and required actions. Being listed in the KEV catalog means the vulnerability is not just theoretically dangerous — it is being used by attackers right now.

What is the KEV catalog?

The CISA Known Exploited Vulnerabilities Catalog is a curated, continuously updated list of CVE vulnerabilities with confirmed active exploitation. Established by Binding Operational Directive 22-01, it requires U.S. federal agencies to remediate listed vulnerabilities within specified timeframes. The catalog is freely available as JSON, CSV, and via the CISA website, and is widely used by both government and private sector organizations for patch prioritization.

How is KEV different from CVE?

CVE is a system for assigning unique identifiers to all publicly known vulnerabilities, regardless of whether they are being exploited. The KEV catalog is a curated subset of CVEs that have confirmed evidence of active exploitation. There are over 330,000 CVE entries but only about 1,500 KEV entries. A CVE tells you a vulnerability exists; a KEV listing tells you attackers are actively using it.

Who must comply with the KEV catalog?

BOD 22-01 legally requires U.S. federal civilian executive branch (FCEB) agencies to remediate KEV-listed vulnerabilities by the specified due dates. However, CISA strongly recommends that all organizations use the KEV catalog for prioritization. Many private sector organizations, state and local governments, and critical infrastructure operators have adopted KEV as a standard input to their vulnerability management programs.

How can I monitor the KEV catalog automatically?

Generate SBOMs for your applications, ingest them into a vulnerability management platform like OWASP Dependency-Track, and use vulnerability analysis to identify known CVEs in your components. Then cross-reference those CVEs against the KEV catalog. CISA publishes the KEV catalog as a machine-readable JSON feed that can be consumed by automated tools.