Tag: CVE

  • CISA KEV Explained: The Only CVE List That Actually Tells You What to Patch Today

    The National Vulnerability Database lists over 240,000 CVEs. The average enterprise has a backlog of thousands of open vulnerabilities. Security teams can’t patch everything, and prioritization tools disagree constantly.

    The CISA Known Exploited Vulnerabilities (KEV) catalog solves this problem with a simple rule: if CISA has added a CVE to the KEV catalog, it is actively being exploited in the wild right now, and federal agencies are required to patch it within a binding deadline.

    That’s it. One list. One job. Patch what’s on it.

    What is the CISA KEV catalog?

    The KEV catalog was created under Binding Operational Directive (BOD) 22-01, issued in November 2021. It requires all federal civilian executive branch (FCEB) agencies to remediate KEV entries on a mandatory schedule — typically 2 weeks for the most critical, and up to 6 months for others.

    Critically, the KEV isn’t theoretical. CISA only adds a CVE when there is confirmed, active exploitation evidence — not just a published exploit, not just a proof-of-concept, but active exploitation in real environments.

    The median time from CVE publication to active exploitation is 7 days. By the time a vulnerability makes the trade press, attackers have often had it for a week.

    How to use the KEV catalog for patch triage

    The KEV catalog turns an impossible prioritization problem into a manageable one. Here’s the framework we use:

    Patch Now (within 24–72 hours): Any CVE added to KEV in the last 7 days with a CVSS score of 8.0 or higher. These are active, severe, and being exploited.

    Patch This Week (within 7 days): KEV entries added in the last 30 days, CVSS 6.0–7.9, or older KEV entries you haven’t remediated yet.

    Monitor: CVEs on the KEV with low CVSS scores (under 6.0) or those that affect software you don’t run. Revisit monthly.

    The three things the KEV tells you that CVSS alone cannot

    CVSS scores measure theoretical severity. They do not tell you whether a vulnerability is being exploited. A CVSS 10.0 CVE with no known exploitation and no public exploit code is less urgent than a CVSS 7.5 CVE that threat actors are actively using against targets like you.

    The KEV adds three data points CVSS cannot: confirmed exploitation evidence, a federal patch deadline (which gives you a defensible timeline for your own patch SLA), and known ransomware association (CISA now flags KEV entries tied to ransomware campaigns).

    What ClickSecurity monitors

    Every weekday morning, our pipeline fetches the latest additions to the CISA KEV catalog and the NVD for CVSS context, then publishes a ranked patch triage before your 9am standup. Each CVE gets one of three labels: Patch Now, Patch This Week, or Monitor. No vendor marketing. No threat intel theater. One list, ranked, delivered free.

    Subscribe below for the daily CISA KEV triage — before your morning standup.


    📅 Data last verified: June 29, 2026 ·
    Sourced from CISA KEV Catalog and NVD ·
    About our methodology ↗

Data Methodology: ClickSecurity content is generated from the CISA Known Exploited Vulnerabilities (KEV) Catalog and the National Vulnerability Database (NVD). Data is fetched daily Monday–Friday. Last scan: . Scores sourced from NVD CVSS. Patch triage (Patch Now / Patch This Week / Monitor) is editorial, not official CISA guidance. About ClickSecurity ↗
A Wahibit Solutions company