What the KEV Catalog Is and Why It Matters
The CISA Known Exploited Vulnerabilities catalog is a continuously updated list of CVEs that CISA has confirmed are being actively exploited in the wild. As of early 2026 it contains over 1,200 entries. Federal civilian agencies are required by Binding Operational Directive 22-01 to remediate KEV vulnerabilities within defined timelines. For private sector organizations, the catalog is a free, authoritative, and operationally current source of signal about which vulnerabilities adversaries are actually using.
This matters because most organizations have far more vulnerabilities in their environment than they have capacity to remediate quickly. CVSS scores, which are the most commonly used prioritization mechanism, measure theoretical severity rather than real-world exploitation. A CVE with a CVSS score of 9.8 that has no publicly available exploit and no reported exploitation is less urgent than a CVE with a CVSS score of 7.2 that is on the KEV list and being actively used in ransomware campaigns.
How to Integrate KEV into Your Vulnerability Management Program
Automate the Lookup
CISA publishes the KEV catalog as a JSON file that is updated when new entries are added. Most enterprise vulnerability management platforms including Tenable, Qualys, and Rapid7 now have built-in KEV integration that flags KEV vulnerabilities in scan results. Organizations that are not using a platform with built-in integration can automate the lookup using the CISA API and apply KEV status as a tag or priority attribute in their vulnerability tracking system.
Set Aggressive Timelines for KEV Items
Federal agencies are required to remediate KEV vulnerabilities within 2 weeks for known ransomware-associated vulnerabilities and 3 weeks for others. Private sector organizations should treat these timelines as reasonable targets. A KEV vulnerability on an internet-facing system should be treated as a critical priority regardless of its CVSS score.
Use KEV for Risk Communication
When communicating with leadership about patch management investments or IT remediation priorities, KEV provides an authoritative external reference that is more persuasive than internal risk assessments. Telling leadership that a vulnerability is on the government's active exploitation list is a more compelling case for prioritization than citing a CVSS score that leadership cannot contextualize.
KEV membership should be treated as a near-certain indicator of active adversary interest. If a vulnerability affecting your environment is on the KEV catalog and is not remediated, you should assume sophisticated adversaries are aware of your exposure and may be targeting it.
Beyond KEV: Complementary Prioritization Signals
KEV is a high-confidence signal but a lagging one. Vulnerabilities appear on the list after exploitation is confirmed, not before. Complementing KEV with the Exploit Prediction Scoring System, which uses machine learning to estimate the likelihood a CVE will be exploited, gives security teams a predictive signal that helps address emerging risks before they reach the KEV list. Combining CVSS base score, KEV status, EPSS score, and asset criticality produces a more complete prioritization framework than any single signal alone.
- Enable KEV integration in your vulnerability management platform or automate it using the CISA API
- Set remediation SLAs for KEV items that are more aggressive than your standard patch cadence
- Review KEV entries weekly and cross-reference them against your asset inventory
- Add EPSS scores to your prioritization workflow to catch emerging exploitation before KEV lists it
- Use KEV data in risk reporting to leadership to justify patching program investments