Skip to main content

Known Exploited Vulnerabilities (KEV) Catalog

The KEV catalog is CISA’s authoritative list of vulnerabilities with reliable evidence of active exploitation in the wild — confirmed fact, not prediction.

The Known Exploited Vulnerabilities (KEV) catalog is maintained by CISA, the U.S. Cybersecurity and Infrastructure Security Agency. A vulnerability enters the catalog only when there is reliable evidence of active exploitation in the wild — it is the authoritative public record of confirmed, not predicted, exploitation.

How It Works

Each KEV entry names the CVE, the affected product, required remediation action, and a due date for U.S. federal agencies. Because an entry requires evidence that malicious exploitation actually occurred, KEV membership is the strongest evidence tier a vulnerability signal can carry.

Why It Matters

When exploitation is observed, prediction and severity become secondary — you already know. That is why evidence-first scoring treats KEV as an override rather than a weight: no quantity of quiet, low-risk findings should be able to average away a live exploit. CISA itself cautions that KEV is a subset of all exploited vulnerabilities, so "not in KEV" never means "not exploited" — probabilistic signals like EPSS and LEV cover the rest.

Related Terms

KEV records confirmed exploitation of CVEs; EPSS predicts future exploitation; LEV estimates whether exploitation was likely missed. Evidence-weighted scores like RiskScore floor on KEV membership.