Is the CISA KEV catalog free to use?

Yes. The catalog is published by CISA as a U.S. Government work in the public domain. You can browse it on the web, download it as JSON or CSV, and integrate the feed into your own tools at no cost.

Does the KEV remediation deadline apply to private companies?

The deadlines are legally binding only on U.S. federal civilian executive-branch agencies under BOD 22-01. Private organizations are not legally required to meet them, but CISA and most security teams recommend treating them as strong urgency signals.

How many vulnerabilities are in the KEV catalog?

The catalog has grown to well over a thousand entries since 2021 and gains new ones regularly. It is deliberately small relative to the ~250,000 published CVEs because it only includes flaws with confirmed exploitation.

What is the difference between KEV and the NVD?

The NVD (National Vulnerability Database) catalogs nearly every published CVE with CVSS scores and metadata. KEV is a curated subset: only the vulnerabilities CISA has confirmed are being exploited in the wild.

What is the CISA KEV catalog and why it matters for patching

The CISA Known Exploited Vulnerabilities (KEV) catalog is a free, authoritative list of software vulnerabilities that have reliable evidence of being actively exploited in the wild. It is maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and is one of the most useful resources in vulnerability management because it answers the question that matters most to defenders: which flaws are attackers actually using right now?

You can browse our running KEV timeline to see recent additions, each with a plain-English explainer.

Why was the KEV catalog created?

Security teams face a firehose. More than 250,000 CVEs have been published, and tens of thousands are added every year. No organization can patch everything at once, and the old habit of “patch the Criticals first” turns out to be a poor proxy for real risk — most high-severity flaws are never exploited, while some moderate-severity ones are weaponized within days.

CISA created the KEV catalog in November 2021 under Binding Operational Directive (BOD) 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” The directive required U.S. federal civilian agencies to remediate listed vulnerabilities by set deadlines. The broader goal was to shift the entire industry from theoretical severity toward evidence of exploitation as the primary prioritization signal.

How does a vulnerability get added to the KEV catalog?

CISA applies three criteria. A vulnerability is added only when all three are met:

Criterion	What it means
Assigned CVE ID	The flaw has a formal CVE identifier in the public CVE program.
Active exploitation	There is reliable evidence the flaw is being exploited in the wild — not merely a proof-of-concept or theoretical risk.
Clear remediation	There is a concrete fixed action, usually a vendor patch or a defined mitigation.

This is why the catalog is small relative to the total CVE universe. It is not a list of every dangerous bug — it is a list of bugs attackers have demonstrably chosen to use. Each entry also carries a “Known ransomware campaign use” flag, which elevates urgency further.

Why does the KEV catalog matter more than a CVSS score?

A high CVSS score tells you a vulnerability is intrinsically severe — easy to reach, easy to exploit, high impact. It does not tell you whether anyone is exploiting it. The KEV catalog supplies exactly the missing piece: confirmed real-world use.

Consider the contrast:

A CVSS 9.8 “Critical” flaw in an obscure product that no threat actor has ever touched is, in practical terms, lower priority than…
…a CVSS 7.5 “High” flaw in an internet-facing VPN that is on the KEV catalog and tied to ransomware.

That is the core insight behind modern patch prioritization: severity is a starting filter, but exploitation evidence is the decider. KEV gives you that evidence for free.

How to use the KEV catalog in practice

You do not need to be a federal agency to benefit. A simple, defensible workflow:

Cross-reference your asset inventory against KEV. Any product you run that appears in the catalog is a confirmed-exploited risk in your environment.
Treat KEV due dates as your internal SLA. Even though they are only binding on federal agencies, they are a reasonable, externally-justified deadline.
Escalate ransomware-flagged entries. These have been observed in extortion attacks and deserve emergency handling.
Automate the feed. CISA publishes the catalog as machine-readable JSON and CSV, so you can pull it into a scanner, SIEM, or ticketing system.

What the KEV catalog is not

It is not exhaustive. A flaw being absent from KEV does not mean it is safe — it may be exploited but not yet confirmed, or exploited only narrowly. KEV is a floor, not a ceiling.
It is not a scanner. It tells you which CVEs matter; you still need to know which of them affect your systems.
It is not a legal mandate for the private sector. The deadlines bind federal civilian agencies only.

Key takeaways

The KEV catalog turns “patch everything” into “patch what attackers are using first.” It is free, public-domain, machine-readable, and updated regularly. Pair it with CVSS for severity and EPSS for exploit-likelihood to build a prioritization model that reflects real risk rather than raw counts.

To go deeper, see our guide to combining KEV, EPSS and CVSS for patch prioritization, or learn how a CVE travels from disclosure to exploitation. The full methodology behind how we source KEV data is on our methodology page.