Cybersecurity Technologies

KEV (Known Exploited Vulnerabilities)

The Known Exploited Vulnerabilities catalog, commonly called KEV, is a curated list maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) of software vulnerabilities with confirmed evidence of active exploitation in the wild. Unlike databases that list all known vulnerabilities, KEV only includes entries where exploitation has been verified, making it a high-signal source for prioritizing the vulnerabilities that attackers are actually using right now.

What is the KEV catalog?

The Known Exploited Vulnerabilities catalog is CISA's authoritative list of vulnerabilities that are confirmed to be actively exploited by threat actors. Launched in November 2021 alongside Binding Operational Directive (BOD) 22-01, the KEV catalog answers the most important question in vulnerability management: which vulnerabilities are attackers actually using right now?

For a vulnerability to be added to the KEV catalog, it must meet three criteria:

  1. It has an assigned CVE ID. The vulnerability is formally cataloged in the Common Vulnerabilities and Exposures database.
  2. There's reliable evidence of active exploitation. Not theoretical risk or proof-of-concept code, but confirmed exploitation in real attacks.
  3. Clear remediation guidance exists. A patch, update, or mitigation is available so organizations can take action.

This three-part standard is what makes KEV different from broader vulnerability databases. The NVD lists over 200,000 CVEs. Your scanner might flag hundreds of findings in your environment. The KEV catalog tells you which of those are confirmed weapons in active use.

KEV by the numbers

The KEV catalog has grown significantly since its launch. According to Cyble, the catalog reached 1,484 entries by the end of 2025, a 20% increase from 1,239 at the end of 2024. CISA added 245 vulnerabilities during 2025, a 30% jump in the addition rate compared to the 185 added in 2024.

Another report found that nearly 900 KEV entries showed first evidence of exploitation during 2025, indicating an acceleration in the pace at which vulnerabilities are being weaponized.

CISA also flagged 24 of the 2025 additions as known to be exploited by ransomware groups, connecting the KEV catalog directly to the most financially damaging attack campaigns targeting organizations of all sizes.

Why the KEV catalog matters for startups

While BOD 22-01 legally binds federal civilian agencies to remediate KEV entries within prescribed timeframes, the catalog's value extends far beyond government compliance.

Here's why startups should pay attention to the Known Exploited Vulnerabilities list:

  1. It's the highest-signal prioritization source. Every vulnerability in the KEV catalog has confirmed exploitation in real attacks. Not theoretical risk, not proof-of-concept, but verified malicious use. When a vulnerability appears on KEV, it means someone is actively using it to compromise systems right now. For a startup with limited remediation capacity, KEV entries should jump to the front of your patch queue.
  2. It cuts through the noise. Your vulnerability scanner might report 300 findings. The KEV catalog tells you which of those 300 are being actively exploited. That context is the difference between treating all 300 as equal (and fixing none well) versus focusing on the 5 that represent real, immediate risk.
  3. Enterprise customers use it as a benchmark. Increasingly, enterprise procurement teams and compliance frameworks reference KEV remediation as a security maturity indicator. Demonstrating that you monitor the KEV catalog and prioritize its entries shows prospective customers you take a risk-based, intelligence-driven approach to vulnerability management.
  4. It integrates with CVSS and EPSS for complete prioritization. KEV, CVSS, and EPSS form a prioritization triad. CVSS tells you how severe a vulnerability is. EPSS estimates how likely it is to be exploited. KEV confirms it's already happening. A vulnerability that's high across all three is a genuine emergency. One that's high CVSS but absent from KEV and low EPSS can follow your standard remediation timeline.

How to use the KEV catalog in practice

For startups building a vulnerability management program, here's how to make the Known Exploited Vulnerabilities catalog actionable:

  • Automate KEV monitoring. Subscribe to CISA's KEV data feed or use tools that integrate KEV status into your vulnerability dashboard. When a vulnerability you're exposed to appears on KEV, you should know immediately, not during next month's security review.
  • Set aggressive SLAs for KEV entries. BOD 22-01 requires federal agencies to remediate KEV entries within specific timeframes (typically 2 to 3 weeks). Adopt similar urgency. If a KEV vulnerability exists in your environment, treat it as a drop-everything priority.
  • Cross-reference with your asset inventory. The KEV catalog is only useful if you know which of your assets are affected. Pair KEV monitoring with an accurate inventory of your software, dependencies, and infrastructure to quickly identify exposure.
  • Use KEV in board and investor conversations. Being able to say "we monitor CISA's Known Exploited Vulnerabilities catalog and maintain a 48-hour remediation SLA for any KEV entry in our environment" communicates security maturity far more effectively than vague assurances about security practices.

Frequently asked questions

Is the CISA KEV catalog only for federal agencies?

No. BOD 22-01, which mandates KEV remediation within specific timeframes, applies only to federal civilian executive branch (FCEB) agencies. But CISA explicitly recommends all organizations, public and private, use the KEV catalog as a prioritization resource. In practice, the KEV catalog has become a widely adopted benchmark across industries. Enterprise customers, compliance auditors, and cyber insurance providers increasingly reference KEV as an indicator of vulnerability management maturity, making it relevant for startups well beyond the federal government.

Toggle answer

How often is the KEV catalog updated?

CISA adds new entries to the Known Exploited Vulnerabilities catalog on a rolling basis, typically multiple times per week. In 2025, CISA added 245 new entries over the course of the year. Each addition includes the CVE ID, vendor and product details, a description of the vulnerability, the required remediation action, and a due date for federal agencies. You can monitor updates through CISA's alerts page, the KEV JSON/CSV data feed, or security tools that integrate KEV data automatically.

Toggle answer

What's the difference between KEV and the National Vulnerability Database?

The NVD is comprehensive: it catalogs virtually every published CVE (over 200,000) with CVSS severity scores, regardless of whether the vulnerability has ever been exploited. The KEV catalog is selective: it only includes vulnerabilities with confirmed active exploitation, clear remediation guidance, and an assigned CVE. Think of the NVD as the encyclopedia of all known vulnerabilities and the KEV as the short list of ones actually being used in attacks right now. Both are valuable, but for prioritization purposes, KEV status is a much stronger signal of immediate risk.

Toggle answer

Related terms

Cybersecurity Technologies

CVSS (Common Vulnerability Scoring System)

Cybersecurity Technologies

EPSS (Exploit Prediction Scoring System)

Cybersecurity Technologies

Vulnerability

Cybersecurity Technologies

Vulnerability Scanning

Cybersecurity Technologies

Exploit

Secure your startup’s momentum

Get started

Follow us

Product

Vulnerability Scanning & ManagementSecurity MonitoringSecret ScanningCode ScanningDynamic Application Security Testing (DAST)Software Composition Analysis (SCA)Compliance & Risk ManagementIdentity & AccessIntegrations

Solutions

Resources

About us

© 2026 Fencer All rights reserved.
Terms of Service
 | 
Responsible Disclosure
 | 
Privacy Policy