What is the CISA KEV Catalog?

The Known Exploited Vulnerabilities catalog is the U.S. government's list of CVEs that are confirmed to be actively exploited in the wild. If a CVE is in KEV, it's not theoretical — attackers are using it right now.

Why KEV Matters

CISA (the Cybersecurity and Infrastructure Security Agency) maintains the KEV catalog as part of Binding Operational Directive 22-01. Federal agencies are legally required to patch KEV vulnerabilities within specific deadlines — typically 14-21 days.

Even if you're not a federal agency, KEV is the single most actionable vulnerability list available. It cuts through the noise of 250,000+ CVEs to show you the ones that are actually being used in attacks.

The Numbers

250K+
Total CVEs
~1,100
In CISA KEV
0.4%
Confirmed exploited

Out of 250,000+ published CVEs, only about 1,100 are in the KEV catalog. That's less than 0.5%. These are the vulnerabilities that matter most — and they should be at the top of every team's patch queue.

What Gets Added to KEV?

A CVE must meet three criteria to be added to the KEV catalog:

  1. Assigned a CVE ID — it's in the NVD
  2. Active exploitation — reliable evidence that the vulnerability is being exploited in the wild
  3. Clear remediation — a patch, update, or mitigation is available from the vendor

CISA doesn't add CVEs based on theoretical risk. They require evidence of real-world exploitation — threat intelligence reports, incident response data, or observed attack traffic.

KEV + EPSS: The Priority Stack

The most effective vulnerability prioritization combines KEV with EPSS:

  1. In KEV — actively exploited. Patch within days, not weeks.
  2. High EPSS (>10%) — likely to be exploited soon. Prioritize this sprint.
  3. High CVSS + Low EPSS — severe but unlikely to be exploited. Schedule normally.
  4. Low CVSS + Low EPSS — low risk. Include in routine updates.

Checking KEV Status with PatchPulse

Every PatchPulse CVE lookup includes KEV status automatically:

curl https://patchapi.shanecode.org/v1/cve/CVE-2014-0160

// Heartbleed — in KEV since May 2022:
"kev": {
  "in_kev": true,
  "date_added": "2022-05-04",
  "due_date": "2022-05-25",
  "known_ransomware": false
}

The manifest scan endpoint (/v1/scan) automatically sorts KEV vulnerabilities to the top of results. If any of your dependencies have a KEV entry, you'll see it first.

Compliance and KEV

Several compliance frameworks now reference or align with KEV:

  • BOD 22-01 — Federal agencies must remediate KEV entries by the due date
  • NIST CSF 2.0 — references KEV as an authoritative source for exploit activity
  • SOC 2 — vulnerability management controls benefit from KEV-based prioritization
  • EU Cyber Resilience Act — active exploitation awareness is part of due diligence

Check KEV Status via API

Every PatchPulse response includes CISA KEV status. Free tier available.

Get Free API Key