KEV (Known Exploited Vulnerability)
A CVE listed in CISA's Known Exploited Vulnerabilities catalog with confirmed active exploitation in the wild. KEV status makes a vulnerability a highest-urgency remediation target.
What is KEV (Known Exploited Vulnerability)?
A CVE listed in CISA's Known Exploited Vulnerabilities catalog with confirmed active exploitation in the wild. KEV status makes a vulnerability a highest-urgency remediation target.
The CISA Known Exploited Vulnerabilities (KEV) catalog is a publicly maintained list of CVEs that have been confirmed as actively exploited in real-world attacks. Published by the Cybersecurity and Infrastructure Security Agency, the catalog serves as the authoritative signal that a vulnerability has moved from theoretical to confirmed threat.
Federal agencies are required by Binding Operational Directive (BOD) 22-01 to remediate KEV vulnerabilities on accelerated timelines — typically 2 weeks for internet-facing systems and 6 months for internal systems. While this mandate applies only to federal civilian agencies, the KEV catalog has become a de facto prioritization standard across the security industry.
The catalog's value comes from its specificity. Over 20,000 CVEs are published annually; CISA's catalog contains a small fraction of those — but it represents the vulnerabilities that defenders need to address most urgently. An organization that prioritizes KEV remediation above all other CVEs is acting on confirmed threat intelligence rather than theoretical risk.
Key Facts
- The CISA KEV catalog is updated multiple times per week as new exploits are confirmed
- Federal agencies must remediate KEV vulnerabilities within 2–6 weeks under BOD 22-01
- Less than 2% of all published CVEs appear in the KEV catalog — but they account for the majority of breaches
- KEV + EPSS combined prioritization identifies the exploitable 3–5% of CVEs that require urgent attention
How ORDR Addresses KEV (Known Exploited Vulnerability)
ORDR continuously cross-references its asset vulnerability data against the CISA KEV catalog. When a new CVE is added to KEV, ORDR immediately elevates the risk score for all affected assets, surfaces them in the priority queue, and generates alerts for security teams. This ensures that the most operationally dangerous vulnerabilities receive immediate attention regardless of their raw CVSS score.
See ORDR in actionFrequently Asked Questions
Complete visibility across your entire attack surface.
ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.