CISA KEV

The CISA KEV catalog, short for the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency, is an authoritative list of CVEs that have confirmed evidence of exploitation in the wild. A vulnerability is added only when there is reliable evidence that attackers are actively using it, not merely that exploitation is theoretically possible.

That bar is what makes KEV distinctive. Where a severity score or an exploitation probability is a prediction, a KEV listing is a statement of observed fact: this vulnerability is being exploited right now.

A confirmed-exploited vulnerability is categorically different from one that merely scores high on severity. CVSS measures potential impact, and even EPSS is a probability. KEV membership removes the uncertainty: the attack is already happening somewhere. That is why known-exploited status generally outranks raw CVSS when deciding patch order.

For a security team, a KEV-listed vulnerability on an owned asset is one of the strongest possible signals to act now. In vulnerability prioritization, KEV typically functions as a strong escalator that lifts a finding toward the top of the queue, working together with EPSS and severity rather than replacing them.

CISA updates the KEV catalog as new exploitation evidence is confirmed, so it is a living list rather than a static one. A CVE can be absent today and added tomorrow once activity is verified, which is why a risk-based program re-reads KEV on a schedule and re-ranks affected findings when membership changes, rather than treating an old snapshot as final.

KEV is most powerful when intersected with a unified, deduplicated finding list: the catalog tells you which CVEs are being exploited, and unified vulnerability management tells you which of your assets actually carry them. The overlap is the urgent work. Asset context from the cyber asset inventory then refines the order within that urgent set.