Skip to content
FortaRisks
Back to the glossaryThreat intelligence

CISA KEV

The CISA KEV (Known Exploited Vulnerabilities) is the public catalog of vulnerabilities with confirmed exploitation in the wild, published by the US cybersecurity agency CISA. Unlike predictive scores, it lists only flaws actually used by attackers, which makes it a first-order prioritization signal.

Updated on July 2, 2026

What is the CISA KEV?

The CISA KEV, for Known Exploited Vulnerabilities, is a catalog maintained by the Cybersecurity and Infrastructure Security Agency, the US federal cybersecurity agency. It lists vulnerabilities for which there is evidence of active exploitation by attackers.

Each entry specifies the vulnerability (via its CVE identifier), the date it was added and a remediation deadline. To make the KEV, a flaw must meet strict criteria, including proof of real exploitation and the existence of a clear corrective action.

Why it matters for your organization

The KEV answers the most useful question in vulnerability management: among all known flaws, which are actually being used against organizations right now? It is a short, very high-value list to treat as top priority.

It acts as a powerful filter against noise. Where CVE catalogs hold tens of thousands of entries, the KEV focuses attention on those that matter immediately.

How to fold the KEV into your prioritization

  • As top priority: any KEV vulnerability present in your estate jumps the queue.
  • Automatically correlated with your asset inventory.
  • As a complement to CVSS (severity) and EPSS (likelihood) for the remaining flaws.
  • Continuously tracked: the catalog is updated regularly as new exploitation emerges.

Where organizations most often fall short

The classic mistake is not linking the KEV to your own inventory: knowing a flaw is actively exploited is useless if you do not know where it lives in your estate. The other pitfall is checking the catalog only occasionally, when it changes constantly and requires continuous monitoring.

Frequently asked questions

What sets the KEV catalog apart from CVSS or EPSS?

CVSS measures severity and EPSS estimates the likelihood of exploitation. The KEV estimates nothing: it confirms. A vulnerability only enters it when CISA has evidence of active exploitation. It is therefore the strongest signal to say 'patch this now'.

Does the KEV catalog only concern US agencies?

The KEV remediation deadlines are binding for US federal agencies, but the catalog is public and used worldwide as a prioritization reference. Any organization benefits from treating the vulnerabilities it lists, and that apply to it, as top priority.

Related resources

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.