What Is the KEV Catalog?
The Known Exploited Vulnerabilities (KEV) catalog is a public list maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability catalog documents software and hardware vulnerabilities that have confirmed evidence of exploitation in the wild. These are vulnerabilities that attackers have actually used. CISA describes it as “the authoritative source of vulnerabilities that have been exploited in the wild.”
Each entry includes the CVE identifier, affected vendor and product, a short description, the date it was added, required remediation action, and, for U.S. federal agencies, a compliance deadline. As of mid-2026, the catalog lists more than 1,250 vulnerabilities and continues to grow, with CISA typically adding new entries several times a week.
How a Vulnerability Qualifies for KEV
CISA adds a vulnerability to the catalog only when it meets three criteria:
- It has an assigned CVE ID – The vulnerability must be tracked in the standard CVE numbering system, so it can be referenced consistently across tools and reports.
- Clear remediation guidance exists – There must be a documented fix, such as a patch, update, or vendor-recommended mitigation, so listing the vulnerability leads directly to action.
- There is reliable evidence of active exploitation – Inclusion in KEV requires confirmed exploitation in the wild. A high severity score or a theoretical attack path is not enough on its own.
Key Terms to Know
CVE (Common Vulnerabilities and Exposures) – A standardized identifier assigned to a publicly known vulnerability, such as CVE-2026-XXXXX. CVE is the reference number every other system, including KEV, builds on.
CVSS (Common Vulnerability Scoring System) – A 0–10 score describing how severe a vulnerability could be if exploited, based on factors like attack complexity and required privileges. CVSS is static and theoretical, it doesn’t tell you whether anyone has actually exploited the vulnerability.
EPSS (Exploit Prediction Scoring System) – A daily-updated probability score (0–100%) estimating the likelihood a vulnerability will be exploited in the next 30 days. EPSS is predictive; KEV is confirmed. Many teams use EPSS to watch for rising risk and KEV to confirm it has materialized.
Remediation Deadline (Due Date) – The date by which an affected system must be patched or mitigated. Under BOD(Binding Operational Directive) 26-04, this is no longer one fixed number, it depends on the risk tier a specific vulnerability-asset pairing falls into. For example, CERT-In’s blueprint requires internet-facing KEV vulnerabilities to be patched within 12 hours.
Virtual Patching – A compensating control, typically enforced at a web application firewall (WAF) or similar edge layer that blocks exploitation of a known vulnerability before the underlying code is actually fixed. It buys time against KEV-listed and zero-day vulnerabilities when a code-level patch isn’t ready yet.
Zero-Day Vulnerability – A vulnerability that is being exploited before a patch is publicly available. Zero-days often land on the KEV catalog quickly once exploitation is confirmed, sometimes before a permanent fix even exists.
Why KEV Matters Beyond Federal Agencies
KEV has become a de facto industry standard far beyond government. Security teams everywhere use it as a fast, evidence-based filter: out of tens of thousands of CVEs disclosed each year, KEV narrows attention to the ones already being used in real attacks. It is also increasingly referenced in compliance frameworks, cyber insurance questionnaires, and vendor risk assessments as a marker of remediation discipline.
KEV vs. CVSS vs. EPSS — What is the Difference?
These three signals answer different questions, and the strongest vulnerability management programs use them together rather than picking one:
- CVSS asks: how bad could this be, technically, if exploited?
- EPSS asks: how likely is this to be exploited soon?
- KEV answers definitively: this has already been exploited. It is binary, a vulnerability either is or isn’t on the list.
Layering all three moves prioritization from theoretical severity to evidence-based urgency.
KEV confirms that an exploit is already being used against real targets. Once a vulnerability lands on the catalog, the priority shifts from tracking a patch deadline to closing the exposure window immediately. AppTrana blocks exploitation at the edge, enforcing a virtual patch the moment a vulnerability is confirmed, so the attack path is shut down before the underlying code fix ever ships. See AppTrana’s zero-day coverage here.