CISA KEV Catalog
The federal Known Exploited Vulnerabilities catalog — CVEs attackers are actively using right now, with the ransomware-known flag and federal-agency remediation deadline. The other half of the CVE picture.
Why this exists
The NVD has 270,000+ CVEs. KEV has ~1,200. The difference is observed exploitation in the wild. For procurement, vendor risk, or M&A diligence on a software company, the KEV is the sharper question: not "could this be exploited?" but "is this being exploited right now, and is it ransomware-linked?"
Federal agencies are required by Binding Operational Directive 22-01 to remediate KEV entries by the listed due date. If a vendor in your portfolio has a recent KEV that's past due, that's the risk conversation to have on the next call.
Frequently asked questions
What's the difference between CISA KEV and CVE Lookup?
CVE Lookup tells you what's known. KEV (Known Exploited Vulnerabilities) tells you what attackers are actively exploiting in the wild. The CISA KEV catalog is curated by U.S. government threat intelligence; entry on the list typically means CISA has direct evidence of active exploitation.
Is the ransomware flag on entries reliable?
CISA marks entries when the CVE has been documented in ransomware campaigns. The flag is a strong signal for prioritization — federal civilian agencies are required by Binding Operational Directive to remediate KEV entries within deadline. Your private-sector remediation should mirror that.
How fresh is KEV?
Updated when CISA confirms new exploitation. Typically 1-3 entries per week. Entries persist; nothing is removed unless an entry is determined to be erroneous.