CISA Known Exploited Vulnerabilities (KEV) Catalog

The CISA Known Exploited Vulnerabilities (KEV) catalog focuses on vulnerabilities confirmed to be actively exploited in real-world attacks, making it far more valuable for patch prioritisation than the broader CVE list. While thousands of CVEs are published every year, only a smaller subset are actively targeted by threat actors, ransomware groups, and automated exploitation campaigns.

Track actively exploited vulnerabilities using KEV intelligence feeds, vendor advisories, exploit monitoring, threat intelligence platforms, and real-time vulnerability databases. Security teams should monitor CISA KEV updates, exploit proof-of-concept releases, ransomware activity, and attack telemetry to prioritise vulnerabilities with confirmed exploitation activity.

In 2026, ransomware operators continue to heavily exploit KEVs affecting VPN appliances, edge security devices, remote management tools, identity platforms, and internet-facing applications. Vulnerabilities enabling remote code execution, authentication bypass, privilege escalation, and insecure remote access remain the most common initial access vectors used in ransomware campaigns.

Integrate CISA KEV alerts into your patching workflow by mapping KEV entries to asset inventories, vulnerability scanners, ticketing systems, and SIEM or SOAR platforms. Many organisations automate KEV prioritisation by flagging affected internet-facing assets, triggering remediation tickets, and escalating vulnerabilities with active exploitation indicators.