The KEV catalog is CISA's authoritative list of vulnerabilities actively exploited in the wild. If it's on this list, attackers are using it right now.
CISA (Cybersecurity and Infrastructure Security Agency) maintains the Known Exploited Vulnerabilities (KEV) catalog β an authoritative source of vulnerabilities that have been confirmed as actively exploited in real-world attacks. Unlike theoretical vulnerabilities or those with proof-of-concept exploits, every entry in KEV has evidence of actual malicious use.
For Federal Civilian Executive Branch (FCEB) agencies, Binding Operational Directive (BOD) 22-01 requires remediation of KEV vulnerabilities within prescribed timeframes. But the guidance is clear for everyone: if it's on the KEV list, it should be at the top of your patch priority.
The KEV catalog isn't about theoretical risk β it's about confirmed, active exploitation. When a CVE gets added to KEV, threat actors are already using it against real targets. The window between KEV addition and widespread automated scanning is shrinking.
These vulnerabilities were recently added to the KEV catalog based on confirmed active exploitation. Verify exposure and prioritize remediation.
| CVE ID | Vendor / Product | Vulnerability | Severity | Added |
|---|---|---|---|---|
| CVE-2025-55182 |
Meta React Server Components |
Remote Code Execution via payload decoding flaw | Critical | Dec 2025 |
| CVE-2025-62215 |
Microsoft Windows Kernel |
Race condition privilege escalation to SYSTEM | Critical | Dec 2025 |
| CVE-2025-9242 |
WatchGuard Firewalls |
Authentication bypass in management interface | Critical | Dec 2025 |
| CVE-2025-41244 |
Broadcom VMware Aria Operations |
Privilege escalation from VM user to root | High | Dec 2025 |
| CVE-2025-24893 |
XWiki XWiki Platform |
Remote code execution via template injection | Critical | Dec 2025 |
| CVE-2025-54309 |
CrushFTP File Transfer Server |
Authentication bypass via alternate channel | Critical | Nov 2025 |
The KEV catalog is updated frequently β sometimes multiple times per week. Subscribe to CISA alerts or use automated vulnerability management tools to stay informed.
The KEV catalog should be a core input to your vulnerability management prioritization. Here's how organizations should integrate it:
KEV vulnerabilities should jump to the front of your patch queue. Active exploitation means attackers have working exploits.
You can't patch what you don't know about. Maintain accurate asset inventories to quickly identify exposure when new KEVs drop.
Manual tracking doesn't scale. Integrate KEV feeds into your vulnerability scanners and SIEM for immediate visibility.
Penetration testing should include attempts to exploit KEV vulnerabilities. Validate that your patches are actually effective.
JEAA Infosec integrates KEV awareness into every engagement. We don't just run scanners β we actively test for exploitability of known threats relevant to your environment.
Let's assess your environment for actively exploited vulnerabilities. Get clarity on your real risk, not just scanner output.
Request Assessment β