CISA launched the Known Exploited Vulnerabilities catalog in November 2021 under Binding Operational Directive 22-01, and by the start of 2024 it had become the de facto shortlist that most vulnerability management programs use to decide what to patch next week versus what to patch next quarter. The first quarter of 2024 was unusually active. Between January 1 and March 10, CISA added more than 40 entries, with a strong skew toward edge appliances — Ivanti Connect Secure, FortiOS, ConnectWise ScreenConnect, Microsoft Exchange, Cisco ASA — and a smaller but growing share of open-source infrastructure components like Jenkins and Apache OfBiz. This post analyzes what landed, which vendors dominated, and how to turn the catalog into triage decisions without drowning in a tier-one patch queue.
What is the KEV catalog and why should non-federal teams care?
The KEV catalog is CISA's curated list of CVEs with reliable evidence of active exploitation, each carrying a remediation deadline of typically two to three weeks for federal civilian executive branch agencies under BOD 22-01. Non-federal teams care because the catalog is the cleanest public signal that a vulnerability is being exploited now, not theoretical. Cyber insurance underwriters, SOC 2 auditors, and most mature VM programs now use KEV as the trigger for emergency patching. CVSS alone is too coarse — plenty of 9.8s are never weaponized — and EPSS is probabilistic, so KEV adds ground truth.
How many CVEs did CISA add in Q1 2024 and where did they cluster?
CISA added more than 40 CVEs to KEV in Q1 2024, heavily clustered around network edge appliances and remote access software. Ivanti dominated the list with Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893) driving multiple KEV additions in January alone. ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708) went KEV within days of disclosure in February after mass exploitation. FortiOS SSL VPN (CVE-2024-21762) landed on February 9. Microsoft Exchange (CVE-2024-21410) and Microsoft Streaming Service (CVE-2023-29360, re-listed) rounded out enterprise Microsoft. Open-source additions included Apache OfBiz CVE-2023-49070, Jenkins CVE-2024-23897, and Fortra GoAnywhere CVE-2024-0204.
Why are edge devices so heavily represented?
Edge devices dominate because they combine high blast radius with poor patch cadence, and attackers know it. A FortiGate, Ivanti Connect Secure, or Cisco ASA sits between the internet and an internal Active Directory, runs aged codebases with decades of attack surface, and often lacks EDR coverage because it is a closed appliance. Enterprises defer firmware upgrades because upgrades are disruptive and because the appliance "just works." The math favors attackers: the average time to patch an internet-facing edge device in the industry data we track is measured in weeks, not hours, while mass exploitation of a fresh pre-auth RCE can happen within 48 hours of public disclosure.
Which 2024 Q1 KEV entries caused the most incident response work?
The Ivanti Connect Secure chain (CVE-2023-46805 plus CVE-2024-21887) and ConnectWise ScreenConnect CVE-2024-1709 generated the most incident response work in our data. Ivanti exploitation preceded disclosure by weeks: Volexity documented UTA0178 activity in December 2023, and once public, mass exploitation pushed Mandiant, Volexity, and the US Department of the Treasury's own teams into simultaneous engagements. CISA Emergency Directive 24-01 on January 19 ordered all FCEB agencies to disconnect affected Ivanti appliances, a move that made plain the incident response was beyond patching. ScreenConnect had a different shape: a trivial pre-auth administrative bypass that let ransomware affiliates and Black Basta operators compromise MSPs and pivot into their customers within days.
What should a prioritization model actually look like in Q2 2024?
A prioritization model should combine KEV status, reachability in your environment, and asset criticality, in that order. KEV status is the first filter: any CVE on the catalog should be treated as a Sev-1 work item regardless of CVSS. Reachability is second: a KEV CVE in a library that is installed but never loaded by network-exposed code is a lower actual risk than the same CVE in an edge-facing binary. Asset criticality is third: a KEV CVE in a perimeter VPN serving 10,000 users outranks the same CVE in a lab-only test rig. EPSS is useful as a tiebreaker within your non-KEV backlog. CVSS alone is no longer a defensible prioritization signal in 2024.
How should teams track KEV additions operationally?
Teams should subscribe to the CISA KEV JSON feed, map entries to their asset inventory automatically, and drive tickets rather than emails. CISA publishes the catalog at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json, updated with each addition. A simple cron job that diffs the feed and opens Jira tickets with SLAs bound to the published due date removes human latency from the loop. Pair that with weekly reviews of KEV entries aged past their due date — the backlog you have not closed is where attackers are looking.
# Pull current KEV catalog
curl -sS https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
| jq '.vulnerabilities[] | {cveID, vendorProject, product, dueDate}'
How Safeguard Helps
Safeguard ingests the CISA KEV feed continuously and maps every entry against your components using reachability analysis, so a KEV listing in a dependency that is present but unreachable does not wake the on-call while a KEV in an exposed edge service does. Griffin AI overlays exploitation telemetry from Shadowserver and GreyNoise onto your asset graph to show which KEV CVEs are being actively scanned against your IP space. SBOM-linked inventories let you answer "where is Ivanti Connect Secure running" or "which products still depend on Apache OfBiz 18.12.09" in seconds, and policy gates block deployments that introduce new KEV-listed components. TPRM assessments surface which third-party vendors are named in KEV-relevant advisories so you can demand remediation evidence from suppliers before their exposure becomes yours.