CISA KEV: vulnerabilities with confirmed active exploitation

What is the CISA KEV catalog

The Known Exploited Vulnerabilities (KEV) is a catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). An entry in the KEV means CISA has evidence that malicious actors are actively exploiting that vulnerability in real environments — not in a lab.

US federal agencies are required to remediate KEVs within a defined deadline. For the private sector, the KEV functions as a top priority list: if your organization uses any product affected by a KEV, the fix cannot wait for the next maintenance window.

Recent VAIA signals

How to use CISA KEV in practice

1. 1
   Product inventory

   Map all products and versions in your environment. Without inventory, you don't know if you're exposed.
2. 2
   Cross with KEV daily

   CISA updates the catalog continuously. A new KEV entry can make your infrastructure urgent within hours.
3. 3
   Prioritize patch before the window

   KEVs don't wait for monthly maintenance windows. Active exploitation requires response outside the normal cycle.
4. 4
   Communicate to the board as operational risk

   Security is now board language. KEVs are the most concrete argument for prioritizing response resources. Signal: sec-board-language (88).

What to track

• →New KEV entries in Microsoft, Cisco, Fortinet and VMware products — historically the most exploited.
• →Time between CVE publication and KEV entry — the shorter, the more aggressive the threat actor.
• →npm/PyPI packages with advisories related to active KEVs — supply chain amplifies exposure.
• →KEV + critical CVSS correlation: only where both overlap requires immediate action.