The KEV catalog is CISA's authoritative list of vulnerabilities actively exploited in the wild. If it's on this list, attackers are using it right now.
CISA (Cybersecurity and Infrastructure Security Agency) maintains the Known Exploited Vulnerabilities (KEV) catalog — an authoritative source of vulnerabilities that have been confirmed as actively exploited in real-world attacks. Unlike theoretical vulnerabilities or those with proof-of-concept exploits, every entry in KEV has evidence of actual malicious use.
For Federal Civilian Executive Branch (FCEB) agencies, Binding Operational Directive (BOD) 22-01 requires remediation of KEV vulnerabilities within prescribed timeframes. But the guidance is clear for everyone: if it's on the KEV list, it should be at the top of your patch priority.
The KEV catalog isn't about theoretical risk — it's about confirmed, active exploitation. When a CVE gets added to KEV, threat actors are already using it against real targets. The window between KEV addition and widespread automated scanning is shrinking.
These vulnerabilities were recently added to the KEV catalog based on confirmed active exploitation. Verify exposure and prioritize remediation.
| CVE ID | Vendor / Product | Vulnerability | Severity | Added |
|---|---|---|---|---|
| CVE-2026-21514 |
Microsoft Office Word |
Reliance on untrusted inputs in a security decision enabling privilege escalation | Critical | Feb 10, 2026 |
| CVE-2026-21519 |
Microsoft Windows Desktop Manager |
Type confusion vulnerability enabling local privilege escalation | Critical | Feb 10, 2026 |
| CVE-2026-21533 |
Microsoft Windows Remote Desktop Services |
Improper privilege management allowing privilege elevation | Critical | Feb 10, 2026 |
| CVE-2026-21510 |
Microsoft Windows Shell |
Protection mechanism failure enabling security feature bypass | High | Feb 10, 2026 |
| CVE-2026-21513 |
Microsoft MSHTML Framework |
Protection mechanism failure enabling security feature circumvention | High | Feb 10, 2026 |
| CVE-2026-24423 |
SmarterTools SmarterMail |
Missing authentication for critical function in ConnectToHub API leading to command execution | Critical | Feb 5, 2026 |
| CVE-2025-11953 |
React Native Community CLI |
OS command injection in Metro Development Server endpoint | Critical | Feb 5, 2026 |
| CVE-2025-40551 |
SolarWinds Web Help Desk |
Deserialization of untrusted data enabling unauthenticated remote code execution | Critical | Feb 3, 2026 |
| CVE-2019-19006 |
Sangoma FreePBX |
Improper authentication enabling unauthorized admin access bypass | Critical | Feb 3, 2026 |
| CVE-2026-1281 |
Ivanti Endpoint Manager Mobile |
Code injection enabling unauthenticated remote code execution | Critical | Jan 29, 2026 |
The KEV catalog is updated frequently — sometimes multiple times per week. Subscribe to CISA alerts or use automated vulnerability management tools to stay informed.
The KEV catalog should be a core input to your vulnerability management prioritization. Here's how organizations should integrate it:
KEV vulnerabilities should jump to the front of your patch queue. Active exploitation means attackers have working exploits.
You can't patch what you don't know about. Maintain accurate asset inventories to quickly identify exposure when new KEVs drop.
Manual tracking doesn't scale. Integrate KEV feeds into your vulnerability scanners and SIEM for immediate visibility.
Penetration testing should include attempts to exploit KEV vulnerabilities. Validate that your patches are actually effective.
JEAA Infosec integrates KEV awareness into every engagement. We don't just run scanners — we actively test for exploitability of known threats relevant to your environment.
Let's assess your environment for actively exploited vulnerabilities. Get clarity on your real risk, not just scanner output.
Request Assessment →