LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  CISA KEV

CISA Known Exploited Vulnerabilities

Search the official CISA KEV catalog by CVE, vendor, or product. KEV-listed vulnerabilities are confirmed exploited in the wild — federal agencies are required to patch them within strict deadlines.

    What it does

    CISA’s Known Exploited Vulnerabilities (KEV) catalog is the most authoritative "patch this first" list available. Inclusion requires evidence of active exploitation in the wild — not theoretical, not POC, actually being abused. Federal civilian agencies are required by Binding Operational Directive 22-01 to patch KEV-listed CVEs by the specified due date. Even outside federal scope, KEV serves as the gold-standard prioritization signal: if it’s on this list, criminal and APT actors are exploiting it right now.

    Advertisement

    How to use it

    1. Search by CVE ID (e.g. "CVE-2024-3400") for a specific entry.
    2. Search by vendor (e.g. "fortinet", "microsoft") for all that vendor’s KEV entries.
    3. Search by product (e.g. "exchange", "ivanti") to see all entries for that product line.
    4. Click "50 most recent" to scan what’s been added in the last few weeks.
    5. Each result shows the required action and due date — these are federal mandates but apply to any prudent enterprise.

    Common use cases

    Patch prioritization When triaging a backlog of CVEs, anything on KEV gets the next deploy window.
    Ransomware risk Entries flagged "Known ransomware campaign use" are top initial-access vectors for ransomware affiliates — treat as critical.
    Vendor-risk assessment Before adopting a vendor product, check how many entries they have on KEV. Frequent presence indicates a security-engineering gap.
    Audit / compliance reporting Use KEV-coverage as a board-level patch-management metric: "what percent of our KEV exposure is remediated within 14 days?".
    Advertisement

    Frequently asked questions

    How often is KEV updated? +
    CISA adds entries continuously, typically batches every 1–2 weeks. We re-fetch the feed every 6 hours.
    What triggers a KEV addition? +
    Reliable evidence of in-the-wild exploitation: CISA partner intel, vendor confirmations, NSA / international CERT reports.
    Why isn’t a famous CVE on KEV? +
    Either no confirmed in-the-wild exploitation, or it was confirmed but reverted. KEV is a "real exploitation" filter, not a "scary CVE" filter.
    Are KEV due dates legally binding? +
    For US federal civilian agencies — yes, under BOD 22-01. For everyone else they’re an aggressive-but-prudent target.

    Related tools

    Related coverage on Ciphers Security

    You may also like

    Free for everyone, no signup required. Tool runs at /tools/cisa-kev/ — bookmark or share.

    Scroll to Top