Since its launch in November 2021, CISA's Known Exploited Vulnerabilities (KEV) catalog has become one of the most important tools in vulnerability management. Unlike the NVD's 28,000+ annual CVE filings, the KEV catalog is curated: each entry represents a vulnerability with confirmed active exploitation. As of early 2025, the catalog contains over 1,100 entries, and it continues to grow by approximately 20-30 entries per month.
For federal agencies, KEV remediation is mandatory under Binding Operational Directive 22-01. For everyone else, the KEV catalog is arguably the best available signal for vulnerability prioritization. If a CVE is in the KEV, someone is actively exploiting it, and your organization should treat remediation as urgent.
2025 KEV Trends
Network Edge Devices Dominate
The most striking trend in KEV additions through early 2025 is the dominance of network edge devices: firewalls, VPN appliances, load balancers, and remote access gateways. Products from Ivanti, Fortinet, Palo Alto, SonicWall, Citrix, and Zyxel account for a disproportionate share of new KEV entries.
This is not surprising when you consider the attacker's perspective. Network edge devices are:
- Internet-facing by design.
- Running with elevated privileges (often root/SYSTEM).
- Positioned to see and control all network traffic.
- Difficult to monitor with traditional endpoint security tools.
- Slow to patch due to operational constraints.
The concentration of KEV entries in this category suggests that threat actors -- both nation-state and criminal -- have identified network edge devices as the most productive initial access vector.
The Patch-to-Exploit Window Is Shrinking
Analysis of KEV entries with known exploitation timelines shows that the gap between patch availability and observed exploitation continues to shrink. For high-profile vulnerabilities in 2025:
- Several vulnerabilities were exploited as zero-days (before any patch existed).
- For vulnerabilities disclosed with a patch, exploitation was observed within 24-72 hours in many cases.
- The "n-day" window -- the time between patch release and widespread exploitation -- has compressed from weeks to days.
This has profound implications for vulnerability management programs. Organizations that patch on monthly or quarterly cycles are operating well outside the exploitation window. For KEV-listed vulnerabilities, patch timelines need to be measured in hours and days.
Older CVEs Keep Getting Exploited
While new zero-days get the headlines, the KEV catalog also includes older vulnerabilities that continue to be exploited years after patches were available. In 2025, CISA added several CVEs from 2020-2023 that were seeing renewed exploitation activity.
This tells us two things:
- Many organizations are not patching even well-known, critical vulnerabilities.
- Attackers maintain exploit capabilities for older vulnerabilities because they know unpatched systems exist.
The "long tail" of unpatched vulnerabilities is a systemic problem that no amount of new security tooling can solve without organizational commitment to basic patch hygiene.
Authentication Bypass Is the Dominant Vulnerability Type
Categorizing 2025 KEV entries by vulnerability type reveals that authentication bypass, improper access control, and related authorization flaws are the most common type being exploited. This includes:
- Complete authentication bypass (no credentials needed)
- Privilege escalation after low-privilege authentication
- Path traversal bypassing authorization checks
- Default credentials and hardcoded backdoors
These are not exotic vulnerability types requiring advanced exploitation techniques. They are fundamental security design failures that allow attackers to walk through the front door.
Using KEV Effectively
As a Prioritization Signal
The most straightforward use of the KEV catalog is as a prioritization signal for your vulnerability management program. Any CVE in the KEV should be treated as higher priority than a CVE of similar CVSS severity that is not in the KEV.
A practical approach:
- Immediate (0-48 hours): KEV entries with recent additions and active mass exploitation.
- Urgent (1-2 weeks): Other KEV entries not yet remediated.
- Standard (30-90 days): Critical/High severity CVEs not in KEV.
- Routine (next maintenance cycle): Medium/Low severity CVEs.
As an Input to Risk Assessments
KEV data is useful for risk assessments because it provides empirical evidence of exploitation. Rather than theoretical "this could be exploited," KEV tells you "this is being exploited." This distinction matters for communicating risk to business leadership and for making investment decisions.
As a Compliance Baseline
Even outside the federal government, many organizations have adopted KEV remediation as a baseline security requirement. Auditors and regulators increasingly reference the KEV as evidence of reasonable security practices. Having a process to track and remediate KEV entries demonstrates that your organization is addressing the vulnerabilities that matter most.
KEV Limitations
The KEV catalog is excellent but not comprehensive:
It is retrospective. Vulnerabilities are added after exploitation is confirmed. By definition, it does not help with zero-days before exploitation is detected.
It has a reporting bias. Exploitation must be detected and reported to CISA. Sophisticated actors who exploit vulnerabilities quietly may not trigger KEV additions.
It does not cover all products. The KEV tends to focus on widely-deployed commercial and open-source products. Niche or industry-specific software may be exploited without triggering a KEV entry.
It is US-centric. While CISA coordinates with international partners, the catalog may underrepresent exploitation observed primarily in other regions.
These limitations mean the KEV should be part of your prioritization framework, not the entirety of it. Combine KEV data with EPSS scores, vendor advisories, threat intelligence feeds, and your own risk assessment for the most complete picture.
How Safeguard.sh Helps
Safeguard.sh integrates the CISA KEV catalog directly into its vulnerability prioritization engine. When a new CVE is added to the KEV, Safeguard automatically checks your SBOM inventory for affected components and elevates the priority of matching findings.
This integration means that you do not need to manually cross-reference KEV updates against your software inventory. Safeguard does it automatically, alerting you to KEV-relevant vulnerabilities within minutes of catalog updates. Combined with EPSS scoring and exploit availability data, Safeguard provides a multi-dimensional view of vulnerability risk that helps you focus your remediation efforts where they matter most.