Question 1

What Is CISA KEV?

Accepted Answer

CISA (Cybersecurity and Infrastructure Security Agency), the cybersecurity arm of the U.S. Department of Homeland Security, maintains the Known Exploited Vulnerabilities catalog—a curated list of vulnerabilities actively exploited by real threat actors in the wild.

Each KEV entry includes:
- CVE ID
- Date CISA added the vulnerability to the catalog
- Required action deadline (typically 3–15 days for federal agencies)
- Vendor advisory links
- Evidence of exploitation (public PoC, malware inclusion, attack reports)

The critical distinction: KEV doesn't mean the vulnerability exists. It means someone is exploiting it right now.

Your patch priority flips from "we should fix this eventually" to "we must fix this before tomorrow's security briefing."

Question 2

How Does CISA Know What's Being Actively Exploited?

Accepted Answer

CISA adds vulnerabilities to the KEV catalog based on multiple intelligence streams:

U.S. Government agency reports:
- CISA incident response teams
- NSA cybersecurity advisories
- Department of Defense security bulletins

Information Sharing and Analysis Centers (ISACs):
- Financial ISAC (attacks on banks)
- Healthcare ISAC (attacks on hospitals)
- Energy ISAC (attacks on power grids)
- Sector-specific threat intelligence

Public exploit evidence:
- Functional proof-of-concept code on GitHub
- Metasploit modules
- Public security researcher disclosures

Malware and attack analysis:
- Commercial threat intelligence feeds
- Automated detection of malware incorporating the flaw
- Attack campaign analysis from security vendors

Vulnerability databases:
- Exploit-DB
- Google Project Zero
- Security vendor advisories

CISA doesn't wait for perfect certainty. If there's credible evidence a vulnerability is being exploited, it gets added to KEV. The bar is "actively exploited," not "maybe someday exploited." For the full details on how the catalog is maintained and published, see CISA's Binding Operational Directive 22-01.