What is CISA KEV? Known Exploited Vulnerabilities, explained
A plain-English guide · 1046 KEV CVEs affecting tracked software right now · all security terms → · updated June 2026
The CISA KEV (Known Exploited Vulnerabilities) catalog is the U.S. government's list of vulnerabilities that attackers are actively exploiting in the wild. Unlike a severity score, a place on KEV isn't a prediction — it's confirmation that a flaw is being used right now. That makes it the single most important "fix this first" signal in vulnerability management.
What does KEV stand for?
KEV stands for Known Exploited Vulnerabilities. The catalog is published and maintained by the Cybersecurity and Infrastructure Security Agency (CISA) and is free and public. It launched in November 2021 and now holds well over a thousand entries, with new ones added as exploitation is confirmed — frequently several times a week.
How a CVE gets onto KEV
CISA adds a vulnerability only when it meets three criteria:
- It has an assigned CVE ID.
- There is reliable evidence of active exploitation in the wild — not proof-of-concept code, but real attacks.
- There is a clear remediation, usually a vendor patch or upgrade.
Because the bar is "actually being exploited," KEV stays high-signal: every entry is a real, present threat.
KEV vs CVSS vs EPSS — which do I act on?
- CVSS — a 0–10 severity score (how bad in theory).
- EPSS — a probability a CVE will be exploited soon.
- KEV — confirmation a CVE is being exploited now. The strongest prioritisation signal of the three.
A critical CVSS score on a flaw nobody is using is less urgent than a medium-severity bug that's on KEV. IsItPatched combines all of these into one verdict — see how the score works.
How to check if a KEV vulnerability affects you
Knowing a vulnerability is on KEV is half the picture; the question is whether it affects the version you run. IsItPatched flags every tracked product affected by an actively-exploited (KEV) CVE.
- Live exploited CVEs — the 1046 KEV flaws affecting tracked software, ranked by what matters.
- Check your version — paste a product + version for an instant verdict.
- Scan an SBOM — find KEV-affected components across your whole stack.
See what's being exploited now →
Frequently asked questions
What is the CISA KEV catalog?
The CISA Known Exploited Vulnerabilities (KEV) catalog is a list, maintained by the U.S. Cybersecurity and Infrastructure Security Agency, of vulnerabilities that are being actively exploited in the wild. A CVE is only added once there is reliable evidence that attackers are using it — so KEV is the authoritative "exploited right now" list, not a list of theoretical risks.
What does KEV stand for?
KEV stands for Known Exploited Vulnerabilities. It is the catalog CISA publishes of CVEs confirmed to be under active exploitation.
How does a CVE get added to KEV?
CISA adds a vulnerability when it meets three criteria: it has an assigned CVE ID, there is reliable evidence of active exploitation in the wild, and there is a clear remediation action (such as a vendor patch). New entries are published as exploitation is confirmed — often several times a week.
Why does KEV matter more than CVSS?
A CVSS score tells you how severe a flaw is in theory; KEV tells you it is actually being used against people now. With tens of thousands of CVEs published each year, KEV is the single best signal for "patch this first" — a vulnerability on KEV is a proven, in-the-wild threat regardless of its CVSS score.
Is fixing KEV vulnerabilities mandatory?
For U.S. federal civilian agencies, yes — Binding Operational Directive 22-01 requires them to remediate KEV vulnerabilities by set deadlines. Everyone else is strongly encouraged to use KEV the same way: as the prioritised list to remediate first.
IsItPatched is an independent service and is not affiliated with or endorsed by CISA, MITRE or NIST/NVD. KEV data is sourced from CISA's public catalog. Always verify against your vendor's official advisories — see our disclaimer.