Schwachstellenmanagement Glossary
CISA KEV - Known Exploited Vulnerabilities Catalog
The CISA KEV (Known Exploited Vulnerabilities) Catalog is a list of actively exploited vulnerabilities maintained by the U.S. agency CISA. All U.S. federal agencies are required to patch KEV vulnerabilities within defined timeframes. For businesses: Prioritization guidance beyond CVSS—if a vulnerability is listed in KEV, it is being actively exploited. API access and integration with patch management, SIEM, and vulnerability scanners.
CISA KEV (Known Exploited Vulnerabilities) is a free catalog from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that lists vulnerabilities currently being exploited in real-world attacks. Unlike CVSS (which only assesses theoretical severity), KEV provides a clear statement: "This vulnerability is being exploited RIGHT NOW." For prioritization decisions in patch management, KEV is often more relevant than CVSS alone.
Why CISA KEV is important
The problem with CVSS prioritization
- 20,000+ new CVEs per year
- 60–70% of all CVEs: CVSS ≥ 7.0 (High/Critical)
- Impossible: patch all high/critical vulnerabilities immediately
- Result: Prioritization based on CVSS = guessing in the dark
CISA KEV as a Solution
- "This vulnerability is actively being exploited in attacks"
- Source data: CISA telemetry, FBI, partner ISACs, public reports
- As of March 2026: ~1,200 entries (out of 200,000+ CVEs!)
- 1,200 out of 200,000 = 0.6% → patch these vulnerabilities IMMEDIATELY
KEV vs. CVSS: Examples
| CVE | CVSS | KEV | Recommendation |
|---|---|---|---|
| CVE-2021-44228 (Log4Shell) | 10.0 Critical | YES | Patch immediately |
| CVE-2019-11043 (PHP-FPM RCE) | 9.8 Critical | YES | Actively exploited! |
| Theoretical Critical | 9.5 Critical | NO | No public exploit - prioritize based on KEV entries |
U.S. Federal Agency Mandate (BOD 22-01)
- Federal Civilian Executive Branch (FCEB) Agencies MUST patch
- Deadlines: 2 weeks (Most) or 6 months (Older)
- Proof of compliance to CISA
KEV Catalog Structure
API Endpoint
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.jsonSample Entry (JSON)
{
"cveID": "CVE-2021-44228",
"vendorProject": "Apache",
"product": "Log4j2",
"vulnerabilityName": "Apache Log4j2 Remote Code Execution Vulnerability",
"dateAdded": "2021-12-10",
"shortDescription": "Apache Log4j2 contains a vulnerability where JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints.",
"requiredAction": "Apply updates per vendor instructions.",
"dueDate": "2021-12-24",
"knownRansomwareCampaignUse": "Known"
}Fields at a Glance
| Field | Meaning |
|---|---|
| cveID | CVE number |
| vendorProject | Vendor |
| product | Affected product |
| dateAdded | When added to KEV |
| dueDate | Patch deadline (for government agencies) |
| knownRansomwareCampaignUse | "Known" = Ransomware groups are using it! |
Statistics (March 2026)
- ~1,200 total KEV entries
- ~100 new entries per month
- Top categories: Web servers, VPN, Exchange, Citrix
- Ransomware link: ~30% of entries
- Average CVSS: 8.5 (KEV entries are on average high/critical)
- ~15% have CVSS < 7.0 (would be overlooked by normal prioritization!)
Integrate KEV into patch management
1. Query the KEV API daily
#!/bin/bash
KEV_URL="https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
LAST_CHECKED=$(cat /var/lib/kev/last_checked.txt 2>/dev/null || echo "1970-01-01")
TODAY=$(date +%Y-%m-%d)
curl -s "$KEV_URL" | jq -r \
--arg last "$LAST_CHECKED" \
'.vulnerabilities[] | select(.dateAdded > $last) | .cveID + " - " + .vulnerabilityName' \
> /tmp/new_kev_entries.txt
if [ -s /tmp/new_kev_entries.txt ]; then
echo "New KEV entries:" >> /tmp/new_kev_entries.txt
mail -s "CISA KEV Update - $(wc -l < /tmp/new_kev_entries.txt) new CVEs" \
security@example.com < /tmp/new_kev_entries.txt
fi
echo "$TODAY" > /var/lib/kev/last_checked.txt2. Match KEV against your own asset inventory
import requests, json
# Load KEV
kev_data = requests.get(
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
).json()
kev_cves = {v['cveID'] for v in kev_data['vulnerabilities']}
# Own vulnerability data (e.g., Tenable CSV export)
import csv
with open('vuln_export.csv') as f:
reader = csv.DictReader(f)
for row in reader:
if row['CVE'] in kev_cves:
print(f"KEV MATCH: {row['CVE']} on {row['hostname']} - PATCH IMMEDIATELY!")3. Vulnerability Scanner Integration
Tenable.io:
- Filter: "CISA KEV" in Vulnerability Findings
- Dashboard widget: KEV vulnerabilities by asset
Qualys VMDR:
- CISA KEV label in vulnerability list
- Asset risk score includes KEV
OpenVAS/Greenbone:
- CISA KEV as a custom tag via API
4. Patch Prioritization Matrix
| Priority | Criterion | Deadline |
|---|---|---|
| 1 - Immediate | KEV + CVSS Critical + public exploit | ≤ 24h |
| 2 - This week | KEV (all, regardless of CVSS!) | 7 days |
| 3 - This month | CVSS Critical + EPSS > 0.5 | 30 days |
| 4 - Quarterly | CVSS High without KEV/exploit | 90 days |
| 5 - Continuous | CVSS Medium/Low | ongoing |
Combining KEV and EPSS
EPSS (Exploit Prediction Scoring System)
- 0.0–1.0: Probability that the CVE will be exploited within 30 days
- EPSS > 0.5 = 50% probability of exploitation → patch!
Combined Model
| CVE in KEV? | EPSS Score | Priority |
|---|---|---|
| YES | > 0.5 | CRITICAL (Immediately!) |
| YES | 0.1–0.5 | HIGH (This Week) |
| YES | < 0.1 | HIGH (This week) - KEV overrides EPSS! |
| NO | > 0.9 | HIGH |
| NO | 0.5-0.9 | MEDIUM |
| NO | < 0.5 | LOW |
Python: Retrieve EPSS scores for KEV CVEs
import requests
kev_resp = requests.get(
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
).json()
kev_cves = [v['cveID'] for v in kev_resp['vulnerabilities']]
# EPSS API (first.org)
cve_string = ','.join(kev_cves[:100]) # Max 100 per request
epss_resp = requests.get(
f"https://api.first.org/data/v1/epss?cve={cve_string}"
).json()
for item in epss_resp['data']:
if float(item['epss']) > 0.5:
print(f"HIGH PRIORITY: {item['cve']} EPSS={item['epss']:.2f} (KEV + High EPSS!)")KEV Statistics (Research)
- CISA KEV entries: on average, 94% have an EPSS > 0.1 after 30 days
- Without KEV: 94% of all CVEs have an EPSS < 0.01 (never exploited!)
- KEV is the strongest prioritization indicator of all
KEV in SIEM and Alerting
Microsoft Sentinel
// Watchlist: Import KEV CVEs
// Sentinel → Watchlists → New → Upload CSV
// Fields: CVE-ID, Vendor, Product, DateAdded, DueDate
// KQL: Alerts when vulnerable systems are detected
let KevCves = _GetWatchlist('CISA-KEV') | project CVE=CVEId;
SecurityAlert
| where AlertName contains "CVE-"
| where AlertName in (KevCves)
| project TimeGenerated, SystemAlertId, AlertName, Entities
| extend Priority = "CRITICAL - KEV Match!"Splunk
| lookup kev_lookup cve_id OUTPUT vulnerability_name due_date
| where isnotnull(due_date)
| eval days_until_due = round((strptime(due_date, "%Y-%m-%d") - now()) / 86400, 0)
| where days_until_due <= 14 // Alert 14 days before due dateAlerting for new KEV entries
# Slack webhook when a new KEV entry is added
NEW_KEV=$(curl -s "$KEV_URL" | jq -r \
--arg last "$LAST_CHECKED" \
'.vulnerabilities[] | select(.dateAdded == (now | strftime("%Y-%m-%d"))) | .cveID')
if [ -n "$NEW_KEV" ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"CISA KEV Update: New CVEs $NEW_KEV - check immediately!\"}" \
"$SLACK_WEBHOOK_URL"
fi
