What is the CISA KEV catalog?
Last reviewed June 2, 2026
The CISA KEV is the Known Exploited Vulnerabilities catalog, a curated list maintained by the US Cybersecurity and Infrastructure Security Agency. It contains CVEs with reliable evidence of active exploitation in the wild. Under Binding Operational Directive 22-01, US federal civilian agencies must remediate KEV entries by an assigned due date, and the catalog is widely used as a high-priority patch list across all sectors.
What the KEV catalog is
The CISA KEV (Known Exploited Vulnerabilities) catalog is an authoritative list of vulnerabilities that CISA has confirmed are being actively exploited in the wild. It is not a score and not a prediction; it is a curated, evidence-based record of what attackers are actually using.
Each entry includes the CVE identifier, the affected vendor and product, a short description, the date it was added, required remediation actions, and a due date. The catalog is published as a free, machine-readable feed that any organization can consume.
How a CVE gets added
CISA adds a vulnerability to the KEV catalog only when it meets three criteria.
- The vulnerability has an assigned CVE ID.
- There is reliable evidence of active exploitation in the wild, not just a proof of concept.
- There is a clear remediation action, such as applying a vendor patch or following mitigation guidance.
BOD 22-01 and remediation deadlines
The catalog exists under Binding Operational Directive 22-01, issued in November 2021. The directive requires US federal civilian executive branch agencies to remediate KEV entries by the due date CISA assigns to each one. Newly added, actively exploited vulnerabilities are often given short timelines.
Although the directive is binding only on federal agencies, CISA strongly recommends that all organizations use the KEV catalog as an input to their own vulnerability management. Many private-sector teams treat KEV membership as a non-negotiable top priority.
How to use the KEV in practice
Because KEV entries represent confirmed real-world exploitation, they typically jump to the front of the remediation queue regardless of CVSS score. A medium-severity vulnerability on the KEV list usually outranks an unexploited critical-severity one.
- Cross-reference your asset inventory against the KEV feed to find exposed, actively exploited vulnerabilities.
- Treat KEV membership as a strong override signal that escalates priority.
- Track remediation against CISA due dates even if you are not a federal agency, as a sensible internal SLA.
Keep exploring
- EPSS vs KEVPredicted likelihood versus confirmed exploitation.
- What is EPSS?The exploit prediction scoring system.
- How to prioritize vulnerabilitiesWhere the KEV fits in a full prioritization workflow.
- What is a CVE?The identifier every KEV entry is built on.
- Zero-day vs N-dayWhether a patch exists at the time of exploitation.
- What is Exploit-DB?Public archive of exploits and proof-of-concept code.
Frequently asked questions
- What does KEV stand for?
- KEV stands for Known Exploited Vulnerabilities. The CISA KEV is the catalog of CVEs with reliable evidence of active exploitation in the wild.
- Who maintains the KEV catalog?
- It is maintained by CISA, the US Cybersecurity and Infrastructure Security Agency, and published as a free, machine-readable feed.
- Is the KEV catalog only for US federal agencies?
- The remediation requirement under BOD 22-01 is binding only on US federal civilian agencies, but CISA recommends every organization use the KEV catalog to prioritize patching.
- How is the KEV different from EPSS?
- KEV records confirmed, observed exploitation, while EPSS predicts the probability of future exploitation. KEV is curated evidence; EPSS is a daily statistical estimate.
