The KEV catalog is CISA's authoritative list of vulnerabilities actively exploited in the wild. If it's on this list, attackers are using it right now.
CISA (Cybersecurity and Infrastructure Security Agency) maintains the Known Exploited Vulnerabilities (KEV) catalog — an authoritative source of vulnerabilities that have been confirmed as actively exploited in real-world attacks. Unlike theoretical vulnerabilities or those with proof-of-concept exploits, every entry in KEV has evidence of actual malicious use.
For Federal Civilian Executive Branch (FCEB) agencies, Binding Operational Directive (BOD) 22-01 requires remediation of KEV vulnerabilities within prescribed timeframes. But the guidance is clear for everyone: if it's on the KEV list, it should be at the top of your patch priority.
The KEV catalog isn't about theoretical risk — it's about confirmed, active exploitation. When a CVE gets added to KEV, threat actors are already using it against real targets. The window between KEV addition and widespread automated scanning is shrinking.
These vulnerabilities were recently added to the KEV catalog based on confirmed active exploitation. Verify exposure and prioritize remediation.
| CVE ID | Vendor / Product | Vulnerability | Severity | Added |
|---|---|---|---|---|
| CVE-2025-59718 |
Fortinet Multiple Products |
SAML authentication bypass via improper cryptographic signature verification | Critical | Dec 16, 2025 |
| CVE-2025-43529 |
Apple WebKit (iOS/macOS/Safari) |
Use-after-free vulnerability in WebKit | Critical | Dec 15, 2025 |
| CVE-2025-14611 |
Gladinet CentreStack & Triofox |
Hardcoded cryptographic keys enabling arbitrary local file inclusion | Critical | Dec 15, 2025 |
| CVE-2025-14174 |
Google Chromium ANGLE |
Out of bounds memory access in ANGLE | High | Dec 12, 2025 |
| CVE-2018-4063 |
Sierra Wireless AirLink ALEOS (EOL) |
Unrestricted file upload allowing executable code deployment | Critical | Dec 12, 2025 |
| CVE-2025-58360 |
OSGeo GeoServer |
XXE in WMS GetMap operations | Critical | Dec 11, 2025 |
| CVE-2025-62221 |
Microsoft Windows |
Use after free in Cloud Files Mini Filter Driver (privilege escalation) | Critical | Dec 9, 2025 |
| CVE-2025-6218 |
RARLAB WinRAR |
Path traversal vulnerability allowing code execution | Critical | Dec 9, 2025 |
| CVE-2025-66644 |
Array Networks ArrayOS AG |
OS command injection allowing arbitrary command execution | Critical | Dec 8, 2025 |
| CVE-2022-37055 |
D-Link Routers (EOL) |
Buffer overflow impacting confidentiality, integrity, and availability | High | Dec 8, 2025 |
The KEV catalog is updated frequently — sometimes multiple times per week. Subscribe to CISA alerts or use automated vulnerability management tools to stay informed.
The KEV catalog should be a core input to your vulnerability management prioritization. Here's how organizations should integrate it:
KEV vulnerabilities should jump to the front of your patch queue. Active exploitation means attackers have working exploits.
You can't patch what you don't know about. Maintain accurate asset inventories to quickly identify exposure when new KEVs drop.
Manual tracking doesn't scale. Integrate KEV feeds into your vulnerability scanners and SIEM for immediate visibility.
Penetration testing should include attempts to exploit KEV vulnerabilities. Validate that your patches are actually effective.
JEAA Infosec integrates KEV awareness into every engagement. We don't just run scanners — we actively test for exploitability of known threats relevant to your environment.
Let's assess your environment for actively exploited vulnerabilities. Get clarity on your real risk, not just scanner output.
Request Assessment →