KEV (Known Exploited Vulnerabilities)

The KEV (Known Exploited Vulnerabilities) catalog is a public list, maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), of vulnerabilities that have confirmed, real-world exploitation in the wild. Unlike a raw CVE list, a vulnerability only joins the KEV catalog when there is reliable evidence that attackers are actively using it to compromise systems. Each entry includes the CVE ID, the affected product, the date it was added, and a remediation due date.

Why it matters

Tens of thousands of CVEs are published every year, and no team can patch them all at once. The KEV catalog narrows the field to what attackers are actually exploiting right now, which makes it one of the highest-signal prioritization inputs available. A vulnerability on the KEV list is not a theoretical risk — it has a working exploit and active campaigns behind it. For U.S. federal civilian agencies, KEV remediation is mandatory under Binding Operational Directive 22-01; for everyone else, it is a practical shortlist of what to fix first.

KEV vs. CVSS

A high CVSS score describes how damaging a vulnerability could be in theory. KEV describes whether it is being used today. A medium-CVSS bug on the KEV list often deserves attention before a critical-CVSS bug that has never been exploited. Used together, CVSS measures impact and KEV measures real-world likelihood.

How it works

1. A CVE is assigned to a publicly disclosed flaw.
2. CISA collects evidence of active exploitation from incident reports, threat intelligence, and vendor disclosures.
3. If the criteria are met, the CVE is added to the KEV catalog with an assigned remediation due date.
4. Defenders cross-reference their own asset inventory against the catalog and patch matching systems first.

A concrete example

CVE-2021-44228 (Log4Shell) was added to the KEV catalog within days of public disclosure because mass scanning and exploitation began almost immediately. Organizations that watched KEV knew to treat it as an emergency rather than waiting for it to surface in a routine quarterly review. The same pattern repeats for widely exploited edge devices, VPN appliances, and content management systems.

How it appears on your external attack surface

KEV-listed vulnerabilities are most dangerous on internet-facing assets, where exploitation requires no foothold inside your network. Outdated web servers, unpatched VPN gateways, and exposed admin panels are common carriers. The gap is usually visibility: you cannot match KEV entries against software you do not know is exposed. This is where external attack surface management and continuous scanning matter — a KEV entry published the day after your annual pentest leaves you exposed for months.

How FortWatch helps

FortWatch continuously scans your public-facing assets and fingerprints the services and software running on them. Its vulnerability scanner (built on Nuclei templates) flags CVEs detected on those assets, and findings that correspond to known-exploited vulnerabilities are weighted toward higher severity so they surface above noise. Combined with port, SSL, and DNS scanning, this means a newly KEV-listed flaw on an exposed service shows up as a prioritized issue with AI-generated remediation guidance — rather than sitting unnoticed until your next manual review.