What is the CISA KEV catalog?

The CISA KEV catalog — short for Known Exploited Vulnerabilities — is a free, authoritative list of software vulnerabilities that are being actively exploited in the wild. It is maintained by CISA, the US Cybersecurity and Infrastructure Security Agency, and it has become one of the most useful tools in vulnerability management because it answers the question that actually matters: which of these flaws are attackers using right now?

Why the KEV catalog exists

Tens of thousands of new vulnerabilities (CVEs) are published every year. No team can patch all of them immediately, so they need to prioritize — and for a long time the default was the CVSS severity score. The problem is that CVSS measures theoretical severity, not real-world risk. Many high-scoring vulnerabilities are never exploited, while some lower-scoring ones are weaponized within days.

The KEV catalog cuts through this. To be listed, a vulnerability must have reliable evidence of active exploitation, an assigned CVE ID, and clear remediation guidance. In other words, everything on KEV is a confirmed, present-tense threat — not a maybe.

KEV vs. CVSS and the NVD

• CVSS score — a 0–10 rating of how bad a vulnerability could be. Useful, but it does not tell you if anyone is exploiting it.
• NVD (National Vulnerability Database) — the comprehensive catalog of all CVEs with their details and CVSS scores. Exhaustive, but not prioritized by real activity.
• CISA KEV — a focused subset of CVEs with proof of active exploitation. The shortlist of “fix these first.”

The strongest prioritization combines them: a vulnerability that is both on KEV and affects an internet-facing system you run is about as urgent as it gets.

Who must comply

Under CISA Binding Operational Directive 22-01, US federal civilian agencies must remediate KEV-listed vulnerabilities within mandated deadlines. Private companies are not legally bound — but because the catalog is public, free, and grounded in real attacker behavior, it has been widely adopted as a de facto prioritization standard across the industry.

How to use the KEV catalog

• Treat KEV as top priority. If something you run is on the list, it jumps the queue ahead of higher-CVSS-but-not-exploited issues.
• Map it to your inventory. The catalog is only actionable if you know which listed products you actually use — which is where knowing your external attack surface matters.
• Focus on internet-facing first. A KEV vulnerability on an exposed service is the textbook easy target.
• Re-check regularly. CISA adds new entries continuously, so a check from last month is already incomplete.

Checking your software against KEV

You do not need to read the whole catalog by hand. The free SCRYPEX CVE & CISA KEV Checker lets you enter the products and security tools you run and instantly see which have actively exploited vulnerabilities — turning a long public list into a short, prioritized to-do list for your environment. Confirmed-exploit findings are also one of the signals SCRYPEX surfaces in a full external exposure scan.