KEV (CISA Known Exploited Vulnerabilities)

KEV is CISA's catalog of CVEs known to be exploited in the wild — the highest-confidence signal that a vulnerability is being actively used by attackers.

Definition

The Known Exploited Vulnerabilities (KEV) catalog is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). A CVE lands on KEV when CISA has reliable evidence that the vulnerability is being exploited in the wild — typically corroborated by federal incident response, vendor advisories, or open-source intelligence. KEV is the highest-confidence signal in the public ecosystem that a CVE is actively dangerous, not merely theoretically exploitable.

KEV is small (around 1,500 entries in 2026) compared to the ~340,000 CVE corpus. That small size is the point: KEV is the prioritisation cut-off for U.S. federal agencies under Binding Operational Directive 22-01 and a widely adopted enterprise patching priority everywhere else. CVE Explore tags every KEV entry prominently in its UI and feeds.

How it works

CISA's catalog is published as a JSON file (`known_exploited_vulnerabilities.json`) and refreshed continually. Each entry carries the CVE id, the date added to KEV, a vendor / product name, a short `vulnerabilityName`, a `requiredAction` and a `dueDate` (the federal deadline by which agencies must remediate).

Mitigation

Not applicable.

Examples

  • CVE-2021-44228 (Log4Shell) — added to KEV 2021-12-10, due date 2021-12-24.

See also

References