There are tens of thousands of known software vulnerabilities, and new ones are disclosed every day. The overwhelming majority will never be exploited in a real attack. So when you are trying to judge whether a vendor poses a genuine risk, the most useful question is not "how many vulnerabilities have been published about this product?" — it is "is anything this vendor runs being actively exploited by attackers right now?"
That is exactly the question the CISA Known Exploited Vulnerabilities (KEV) catalog was built to answer. It is free, public, updated continuously, and machine-readable — and it deserves a permanent place in every third-party risk management program.
What the KEV Catalog Is
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched the KEV catalog in November 2021 alongside Binding Operational Directive (BOD) 22-01, "Reducing the Significant Risk of Known Exploited Vulnerabilities." The catalog is a living, authoritative list of vulnerabilities for which CISA has reliable evidence of active exploitation in the wild. It began with an initial set of roughly 300 entries and has since grown to well over a thousand.
For a vulnerability to be added to the KEV catalog, it must meet three criteria: it has an assigned CVE identifier, there is reliable evidence that it is being actively exploited, and there is clear guidance for remediation (typically a vendor patch or mitigation). That third criterion is important — the KEV catalog is not just a watchlist, it is an action list.
Under BOD 22-01, U.S. federal civilian executive branch agencies are required to remediate KEV-listed vulnerabilities by assigned due dates — often within two weeks for recently disclosed CVEs. While that mandate legally binds only federal agencies, CISA explicitly urges all organizations to use the catalog to prioritize their own remediation. In practice, the KEV catalog has become a de facto industry standard for "fix this now."
Why KEV Beats Raw CVSS Scores for Prioritization
For years, organizations prioritized patching by CVSS severity score, treating every "critical" 9.0+ vulnerability as a top priority. The problem is volume: there are far more critical-rated vulnerabilities than any team can patch immediately, and severity alone says nothing about whether attackers are actually using a given flaw. Research across the industry has consistently found that only a small fraction of all published vulnerabilities are ever exploited.
The KEV catalog cuts through that noise. A vulnerability on the KEV list is not theoretical — it is being used in real attacks today. That makes "is this vendor exposing a KEV?" one of the highest-signal risk questions you can ask. It is the difference between a smoke detector that beeps at every burnt toast and one that only sounds for actual fire.
The KEV Catalog Is a Roll Call of Third-Party Breaches
What makes the KEV catalog so relevant to vendor risk is that so many of the vulnerabilities on it are the root cause of the supply chain disasters that defined the last decade. Read through the catalog and you will find the very flaws behind the breaches in this very library:
- The Apache Struts vulnerability behind the Equifax breach — a patch was available, and it went unapplied.
- The MOVEit Transfer SQL injection flaw that Cl0p used to breach 2,700+ organizations.
- The Microsoft Exchange ProxyLogon chain exploited by Hafnium against tens of thousands of servers.
- The Apache Log4Shell vulnerability that put nearly every software vendor at risk.
Every one of these was a known, patchable vulnerability that attackers exploited because someone — often a vendor — had not yet fixed it. The KEV catalog is, in effect, a continuously updated list of the exact weaknesses most likely to turn one of your vendors into your next incident.
How to Use the KEV Catalog in Your TPRM Program
1. Add a KEV question to vendor assessments
Build it directly into your due diligence: ask vendors how quickly they remediate vulnerabilities listed in the CISA KEV catalog, and whether they track it as part of their vulnerability management program. A vendor that has never heard of KEV, or that cannot describe a remediation SLA tied to it, is telling you something important about their security maturity. This is a far sharper question than the generic "do you patch regularly?" found on most questionnaires.
2. Correlate KEV with your vendors' external attack surface
The most powerful use of the catalog is to combine it with external monitoring of your vendors' internet-facing assets. If a vendor is exposing a service with a known KEV-listed vulnerability, that is a concrete, evidence-based risk finding — not a hypothetical. This pairs naturally with the security rating services and external scanning that underpin modern continuous monitoring.
3. Use new KEV additions as monitoring triggers
When CISA adds a high-profile vulnerability to the catalog — especially in widely deployed software like file transfer tools, VPNs, or email gateways — treat it as a trigger to check which of your critical vendors are exposed and to reach out proactively. The organizations that fared best in mass-exploitation events like MOVEit were the ones that reacted within hours, not weeks.
4. Feed KEV exposure into risk quantification
A vendor exposing an actively exploited vulnerability has a measurably higher likelihood of compromise. That maps directly onto the threat event frequency and vulnerability inputs of a FAIR risk quantification model, letting you translate a KEV finding into an estimated financial exposure that leadership can act on.
| KEV Catalog Fact | Detail |
|---|---|
| Launched | November 2021, alongside CISA Binding Operational Directive 22-01 |
| Inclusion Criteria | Assigned CVE ID + reliable evidence of active exploitation + clear remediation guidance |
| Federal Mandate | FCEB agencies must remediate by CISA-assigned due dates (often ~2 weeks) |
| Cost & Format | Free; available as a web page, JSON, and CSV feed |
| Best TPRM Use | Correlate KEV entries against vendor external attack surface and remediation SLAs |
A Free Signal You Can't Afford to Ignore
Commercial threat intelligence can cost a fortune, and many small security teams assume high-quality vendor risk signals are out of reach. The KEV catalog proves otherwise. It distills the collective observations of the security community into a single, prioritized list of what attackers are actually exploiting — and it is available to anyone, for free. Folding it into your TPRM program is one of the highest-return, lowest-cost improvements you can make.
Turn Vendor Risk Signals Into Action
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification — built to help small teams act on high-signal data like the CISA KEV catalog.
Free Demo Download SourceSources & References
- Known Exploited Vulnerabilities Catalog - CISA
- Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities - CISA
- Reducing the Significant Risk of Known Exploited Vulnerabilities - CISA
- National Vulnerability Database - NIST
- Exploit Prediction Scoring System (EPSS) - FIRST