CISA KEV explained: which CVEs really need to be patched
What is CISA KEV?
The Known Exploited Vulnerabilities (KEV) catalog is maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It lists vulnerabilities that are confirmed to be actively exploited.
This is the crucial difference from NVD or CVSS: The KEV catalog contains no theoretical risks. Every CVE on this list is or has been used in real-world attacks.
Why is the KEV catalog so important?
1. Confirmed exploitation
A CVE on the KEV list is not a hypothetical risk. Someone is actively exploiting it against real organizations, in real attacks. This fundamentally changes the priority.
2. Mandatory patching (for U.S. federal agencies)
Through Binding Operational Directive (BOD) 22-01, all U.S. federal agencies must patch CVEs on the KEV list within specified deadlines. Even if you are not a U.S. agency: If the U.S. government considers a CVE critical enough to mandate patch deadlines, you should pay attention.
3. Relevance for NIS2 and international compliance
In Europe, the KEV catalog is gaining importance. NIS2-regulated organizations must demonstrate "appropriate measures" for vulnerability management. Using the KEV catalog as a prioritization basis is a strong argument in front of auditors.
KEV in numbers
- The KEV catalog currently contains around 1,200+ CVEs (as of March 2026)
- New entries are added multiple times per week
- Each entry has a Due Date, the deadline by which patching must occur
- The catalog covers CVEs from 2017 to present
How Nautilus uses KEV
Nautilus automatically checks every CVE against the CISA KEV catalog and marks matches with a KEV badge. This means:
- You can see at a glance which of your CVEs are actively exploited
- Combined with the Technology Watchlist: "This CVE in your nginx is currently under active attack"
- KEV status feeds into sorting and filtering
How to integrate KEV into your workflow
- Check daily: New KEV entries should be evaluated immediately
- Match against your stack: Not every KEV CVE affects you, but those that do are immediately priority 1
- Respect deadlines: KEV due dates are a good benchmark, even outside the U.S. government
- Document: For audits and compliance: "We check CISA KEV daily and patch affected systems within 48h"
Frequently Asked Questions
How many CVEs are on the KEV list? The CISA KEV catalog contains over 1,200 CVEs as of March 2026. New entries are added multiple times per week as CISA confirms active exploitation.
Is CISA KEV only for U.S. government agencies? The patching deadlines from BOD 22-01 are mandatory only for U.S. federal agencies. However, the catalog is a global best practice. If a vulnerability is confirmed as actively exploited, every organization should treat it as high priority.
How often is the KEV catalog updated? CISA updates the KEV catalog multiple times per week. New entries appear whenever CISA has sufficient evidence that a vulnerability is being actively exploited in the wild.
What is BOD 22-01? Binding Operational Directive 22-01 is a directive from CISA that requires all U.S. federal civilian agencies to remediate known exploited vulnerabilities within specific deadlines. It is the enforcement mechanism behind the KEV catalog.
Conclusion
The CISA KEV catalog is the simplest way to base patch prioritization on facts rather than CVSS scores. If a CVE is on the KEV list, the discussion is over. Patch it now.
Related: Understand why EPSS complements CVSS for risk-based prioritization, or learn how NIS2 makes vulnerability management mandatory for SMEs.
Nautilus flags all KEV CVEs automatically and notifies you via webhook. Start for free.
Monitor vulnerabilities with EPSS, PoC detection, and KEV tracking.
All in one dashboard. Free to start.
Start for free