ScanRook
Prioritization

CISA KEV Guide: Why Actively Exploited CVEs Demand Immediate Action

The CISA Known Exploited Vulnerabilities (KEV) catalog is one of the most authoritative signals for vulnerability prioritization. If a CVE is on this list, it has been confirmed as actively exploited in real-world attacks. This article explains what KEV is, how it works, and how to operationalize it.

What Is the CISA KEV Catalog?

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a public catalog of vulnerabilities that are known to be actively exploited. The catalog was established in November 2021 as part of Binding Operational Directive 22-01 (BOD 22-01), which requires U.S. federal agencies to remediate listed vulnerabilities within specified timeframes.

Each entry in the KEV catalog includes the CVE identifier, the affected vendor and product, a short vulnerability description, the date it was added to the catalog, and a required remediation deadline. As of early 2026, the catalog contains over 1,100 vulnerabilities spanning a wide range of vendors and product types.

Why KEV Matters Beyond Federal Agencies

While BOD 22-01 is legally binding only for federal civilian executive branch agencies, CISA explicitly recommends that all organizations use the KEV catalog as an input to their vulnerability management prioritization. The reasoning is straightforward: if a vulnerability is confirmed as actively exploited, it represents a clear and present risk regardless of your organization type.

Many private-sector security teams have adopted the KEV catalog as a mandatory remediation trigger. If a CVE appears on KEV, it goes to the top of the remediation queue regardless of its CVSS score. This is a pragmatic approach: CVSS tells you how bad a vulnerability could be, but KEV confirms that someone is already exploiting it.

How CVEs Get Added to KEV

CISA has three criteria for adding a CVE to the KEV catalog:

  1. Assigned a CVE ID -- The vulnerability must have a formal CVE identifier.
  2. Active exploitation -- There must be reliable evidence that the vulnerability is being exploited in the wild. This evidence comes from CISA's own threat intelligence, partner agencies, and trusted industry sources.
  3. Clear remediation action -- A vendor-provided patch, update, or documented mitigation must be available.

The combination of these criteria means that every KEV entry is both actionable (a fix exists) and urgent (exploitation is happening now). This makes the catalog particularly useful for operational triage: you know exactly what to fix and you know it needs to happen immediately.

KEV and EPSS: Two Complementary Signals

The KEV catalog and EPSS scores complement each other well. EPSS predicts exploitation probability based on statistical modeling. KEV confirms that exploitation has already occurred. Together, they provide a two-dimensional view of exploitation risk:

  • On KEV + high EPSS -- Confirmed exploited and predicted to continue. Highest priority.
  • On KEV + low EPSS -- Confirmed exploited but possibly targeted or niche. Still high priority due to confirmed exploitation.
  • Not on KEV + high EPSS -- Not yet confirmed exploited but statistically likely. Treat as elevated risk.
  • Not on KEV + low EPSS -- Neither confirmed nor predicted. Lower priority, monitor normally.

How ScanRook Uses CISA KEV

ScanRook automatically checks every CVE finding against the CISA KEV catalog. Findings that match a KEV entry are tagged with the KEV status, including the date the CVE was added to the catalog and the required remediation deadline. This tagging happens automatically during the enrichment phase -- no additional configuration is needed.

In the ScanRook web dashboard, KEV-tagged findings are visually distinguished and can be filtered separately, making it easy to generate a remediation list of just the actively exploited vulnerabilities in your scan results.

Learn more about how ScanRook combines KEV with other data sources in the enrichment documentation and the data sources reference.

Practical Recommendations

  1. Treat all KEV-listed CVEs as mandatory remediation items regardless of CVSS score.
  2. Set SLA targets for KEV remediation that are shorter than your standard patching cycle.
  3. Use KEV as an escalation trigger in your ticketing system: if a scan finding matches KEV, auto-escalate to the responsible team.
  4. Monitor KEV additions regularly. CISA adds new entries frequently, and newly added CVEs may already affect your environment.
  5. Combine KEV status with EPSS percentiles and CVSS scores for a layered prioritization model.

Further Reading

Enrichment docsEPSS explainedData sourcesBack to blog

Related Posts

More on this topic.

EPSS Scores Explained: Exploit Prediction for Vulnerability PrioritizationWhat EPSS is, how percentile scores work, and why exploit probability is a better prioritization signal than severity alone.