Vulnerability management teams face a persistent prioritization problem. With tens of thousands of new CVEs published annually and enterprise environments containing thousands of unique software components, no organization can patch everything simultaneously. The question is always: which vulnerabilities should be patched first? CISA's Known Exploited Vulnerabilities catalog provides the clearest answer the industry has ever had.
Why It Matters: Active Exploitation Changes Everything
A vulnerability that exists in theory is very different from one that threat actors are actively exploiting in the wild. The KEV catalog bridges this gap by listing only CVEs where CISA has confirmed active exploitation. This is not a severity rating. It is not a theoretical assessment. It is a statement of fact: someone, somewhere, is using this vulnerability to compromise systems right now.
The data supports an exploitation-first approach. Research from Mandiant and other incident response firms consistently shows that 95% of exploited vulnerabilities appear in the KEV catalog within 24 hours of the first confirmed exploitation event. In other words, if a CVE is being used in attacks, it is almost certainly in the KEV.
KEV by the Numbers
The catalog has grown steadily since its launch in November 2021. As of late 2025, it contains over 1,100 entries spanning a wide range of vendors, products, and vulnerability types. The distribution reveals important patterns about where attackers focus their efforts.
The initial 2021 batch included the most historically significant exploited vulnerabilities. Subsequent years reflect the steady stream of new zero-days and newly confirmed exploitation of older CVEs. Critically, a significant proportion of KEV entries -- roughly 17% -- are flagged as associated with ransomware campaigns, making them doubly urgent for organizations concerned about ransomware risk.
CVSS tells you how bad a vulnerability could be. KEV tells you that it is being exploited right now. When both scores are high, you are measuring the gap between your patch and an attacker's success.
BOD 22-01: The Federal Mandate
Binding Operational Directive 22-01 requires all federal civilian executive branch agencies to remediate KEV entries within specified timelines: typically 14 days for internet-facing systems and 25 days for internal systems from the date a CVE is added to the catalog. While the directive applies only to federal agencies, its influence extends far beyond government. Defense contractors, healthcare organizations, and financial institutions have adopted KEV timelines as internal SLAs, recognizing that exploitation-confirmed vulnerabilities represent an unacceptable risk at any patch cadence.
Ransomware-Linked KEVs
CISA enriches each KEV entry with a "Known to be used in ransomware campaigns" flag. This additional signal is invaluable for organizations building ransomware-specific defenses. When a vulnerability is both actively exploited and linked to ransomware, the remediation timeline should be measured in hours, not days. These entries deserve their own escalation path, separate from the standard vulnerability management workflow.
Cross-Referencing with Endpoint Data
The true power of the KEV catalog emerges when it is cross-referenced with your actual endpoint vulnerability data. An abstract list of 1,100 CVEs is informative. A filtered list showing the 23 KEV entries that exist on your specific endpoints, sorted by ransomware association and device count, is actionable. That filtered view transforms a national-level threat feed into an organization-specific remediation queue.
How TATER Helps
TATER downloads the full CISA KEV catalog during every endpoint scan and cross-references it automatically against Microsoft Defender for Endpoint vulnerability data. The Endpoint Security Dashboard highlights KEV matches with dedicated alert banners, showing which specific devices are affected by actively exploited vulnerabilities. Ransomware-linked KEVs receive additional visual emphasis. The vulnerability framework model treats KEV entries as a distinct compliance framework, enabling organizations to track KEV remediation progress alongside CIS, SCUBA, and STIG compliance. When a KEV-matching CVE is found on an endpoint, the platform generates a prioritized remediation recommendation that accounts for device criticality, exposure level, and ransomware association.
