Safeguard.sh
Compliance & Regulations

CISA Known Exploited Vulnerabilities Catalog Launched

CISA's KEV catalog changes vulnerability management from theoretical risk to confirmed exploitation. Here's what it means and how to use it for prioritization.

Shadab Khan
Threat Intelligence
5 min read

From Theoretical to Exploited

On November 3, 2021, CISA published Binding Operational Directive 22-01 alongside a new resource that immediately became one of the most valuable vulnerability management tools available: the Known Exploited Vulnerabilities (KEV) catalog.

The concept is straightforward. Instead of asking "is this vulnerability theoretically dangerous?" the KEV catalog answers a more useful question: "is this vulnerability being actively exploited in the wild?"

The initial catalog launched with 287 CVEs. By mid-December 2021, it has grown to over 300 and continues expanding. Every entry represents a vulnerability where CISA has confirmed real-world exploitation — not a theoretical risk assessment, but evidence of actual attacks.

What BOD 22-01 Requires

Binding Operational Directive 22-01 applies to all Federal Civilian Executive Branch (FCEB) agencies. It requires:

  1. Review the catalog — Agencies must regularly review the KEV catalog for new additions
  2. Identify affected systems — Determine if any federal systems run software with cataloged vulnerabilities
  3. Remediate within deadlines — Each catalog entry includes a remediation deadline. Agencies must patch or mitigate by that date.
  4. Report status — Agencies must report remediation progress to CISA

The deadlines are aggressive. Newly discovered KEV entries typically get 2-3 week remediation windows. For the initial catalog entries, deadlines ranged from November 2021 to mid-2022.

Why KEV Matters Beyond Federal Agencies

While BOD 22-01 legally binds only federal agencies, the KEV catalog is valuable for every organization. Here's why:

CVSS Alone Doesn't Work

The traditional approach to vulnerability prioritization relies heavily on CVSS scores. A score of 9.0+ gets attention; a 5.0 might wait months. The problem: CVSS measures theoretical severity, not actual risk. Many critical CVSS vulnerabilities are never exploited in the wild. Many medium-severity vulnerabilities are actively exploited at scale.

The KEV catalog provides a ground-truth signal. If CISA says a vulnerability is being exploited, it's being exploited. That's more actionable than any risk score.

Known Exploitation = Urgent Risk

A vulnerability on the KEV list means:

  • Exploit code exists and works
  • Threat actors are actively using it
  • Your exposed systems are being targeted
  • The clock is ticking

This isn't a "patch when convenient" situation. If you're exposed to a KEV vulnerability, you're actively at risk right now.

It's Curated, Not Automated

Unlike automated vulnerability feeds that publish thousands of CVEs, the KEV catalog is manually curated by CISA analysts who verify exploitation evidence. This curation means every entry is high-signal. There are no false positives or theoretical concerns — every KEV entry represents confirmed exploitation.

How to Use the KEV Catalog

1. Integrate into Your Vulnerability Management

Add KEV status as a prioritization factor alongside CVSS, EPSS, and your own asset criticality ratings. A medium-CVSS vulnerability on the KEV list should be prioritized above a high-CVSS vulnerability that's not being exploited.

2. Automate Correlation

CISA publishes the catalog as JSON and CSV. Integrate it into your vulnerability management platform. Cross-reference every CVE finding against the KEV catalog automatically.

https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

3. Set KEV-Specific SLAs

Define remediation SLAs for KEV vulnerabilities that are more aggressive than your standard patching cadence. If a vulnerability is being actively exploited, your normal 30-day patch window is too slow.

4. Include in Reporting

Executive reporting should highlight KEV-listed vulnerabilities separately. These are the findings with confirmed real-world risk. They communicate urgency more effectively than CVSS scores.

What's in the Catalog

The catalog includes vulnerabilities across a wide range of products:

  • Microsoft products — Exchange Server (ProxyLogon, ProxyShell), Windows (PrintNightmare), Office
  • Network infrastructure — Cisco, Fortinet, Pulse Secure, SonicWall
  • Web platforms — Apache (Log4j, Struts), Atlassian, Drupal
  • Security products — FireEye, SolarWinds, Accellion
  • Open source — Log4j, Apache HTTP Server, Exim

Each entry includes:

  • CVE identifier
  • Vendor and product name
  • Vulnerability description
  • Date added to catalog
  • Required remediation action
  • Remediation deadline (for federal agencies)

The Bigger Picture

The KEV catalog represents a shift in how the government approaches vulnerability management. Instead of treating all vulnerabilities as equal threats, CISA is saying: these specific vulnerabilities matter right now. It's threat-informed vulnerability management.

This approach aligns with broader industry trends toward risk-based vulnerability management. EPSS (Exploit Prediction Scoring System) predicts exploitation probability. KEV confirms it. Used together, they provide a much more actionable prioritization framework than CVSS alone.

For software vendors, the KEV catalog is also a signal. If your product appears on the KEV list, it means your vulnerability was not just found — it was weaponized. That should inform your disclosure, patching, and communication processes.

How Safeguard.sh Helps

Safeguard.sh integrates the CISA KEV catalog directly into its vulnerability prioritization engine. When a vulnerability in your software supply chain appears on the KEV list, it's automatically elevated to the highest priority tier — regardless of its CVSS score. This ensures that actively exploited vulnerabilities get immediate attention.

The platform correlates KEV data with your complete software inventory, so you don't just know that CVE-2021-44228 is being exploited — you know exactly which of your products, deployments, and environments are affected. This targeted intelligence enables focused remediation instead of organization-wide fire drills.

Safeguard.sh also tracks historical KEV additions to identify patterns in your exposure. If your software stack repeatedly appears in KEV entries, that's a signal to reconsider specific vendors or components. The platform provides this trend analysis alongside real-time monitoring, helping you build a vulnerability management program that's genuinely risk-informed.

cisakevvulnerability-managementcomplianceprioritization
Back to all articles

More on #cisa

View all →
SBOM

CISA Minimum Elements for SBOM: 2026 Update

6 min read
Compliance

CISA SBOM Mandate Enforcement Begins: What Federal Contractors Need to Know

6 min read
Compliance

CISA Secure by Design Pledge: Practical Impact

7 min read
Compliance

EO 14028 Two Years In: What Actually Shipped

7 min read

Related articles in Compliance & Regulations

Compliance & Regulations

Federal SBOM Mandate: Compliance Deadlines and What They Mean for Vendors

Federal agencies are tightening SBOM requirements for software suppliers. Here's what vendors need to know about compliance deadlines, attestation requirements, and practical implementation.

December 1, 2023Read
Compliance & Regulations

CISA's Secure by Default: Shifting Responsibility to Software Manufacturers

CISA's Secure by Design guidance pushes software vendors to ship secure defaults and take ownership of customer security outcomes, fundamentally changing the security responsibility model.

November 1, 2023Read
Compliance & Regulations

EU Cyber Resilience Act: Impact on Software Developers and Open Source

The EU's Cyber Resilience Act will impose mandatory cybersecurity requirements on all software sold in Europe. Here's what developers need to know.

June 5, 2023Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.