Known Exploited Vulnerabilities

Known Exploited Vulnerabilities (KEV) are software, firmware, or hardware security flaws that credible intelligence or incident data confirm adversaries actively use in real-world cyberattacks.

Expanded Explanation

1. Technical Function and Core Characteristics

KEV are specific security defects for which attackers have demonstrated reliable exploitation against deployed systems. They exist across operating systems, applications, network devices, cloud services, and industrial or Operational technology (OT) platforms.

Security authorities catalog these vulnerabilities when incident reporting, malware analysis, or threat intelligence confirms active exploitation. They often include a Common Vulnerabilities and Exposures (CVE) identifier, technical description, affected products, and references to remediation guidance.

2. Enterprise Usage and Architectural Context

Enterprises use the concept of KEV to prioritize vulnerability management, patching, and configuration changes based on observed attacker behavior. Security teams map these vulnerabilities to assets, business services, and data flows to determine exposure.

Architects and security leaders incorporate KEV into risk registers, security baselines, and change management workflows. Many organizations align patch service-level objectives and compliance controls specifically around items listed in government-maintained or industry-maintained known exploited catalogs.

3. Related or Adjacent Technologies

KEV intersect with common vulnerability scoring systems, threat intelligence platforms, and vulnerability scanners. These tools often tag or filter vulnerabilities that authorities or trusted intelligence sources classify as currently exploited in the wild.

They also relate to penetration testing, breach and attack simulation, and Security Information and Event Management (SIEM) use cases, where teams validate whether adversaries can leverage these vulnerabilities within a particular environment. Incident response playbooks frequently reference KEV during investigation and containment.

4. Business and Operational Significance

KEV provide a basis for prioritizing remediation that reduces the observed likelihood of compromise. Executive stakeholders use this category to understand where remediation delays create exposure to techniques that attackers already use.

Regulators and government agencies reference KEV in binding operational directives, sector advisories, and audit expectations. Many enterprises track remediation of these vulnerabilities as a performance metric for cyber risk management and as evidence of due diligence in security governance.

Expanded Explanation

1. Technical Function and Core Characteristics

2. Enterprise Usage and Architectural Context

3. Related or Adjacent Technologies

4. Business and Operational Significance

Proofpoint Introduces Active Exploits Protection to Help Organizations Prioritize Vulnerability Patching for Real-World Attacks in the AI Era

Rapid7 reveals surge in exploited vulnerabilities and shrinking attack timelines in 2026 report

Mavenir Cognizant Supermicro AI and infrastructure updates - Week of December 15, 2025

CISA adds GeoServer XXE to KEV catalog

CISA adds CVE-2025-6218 and CVE-2025-62221 to KEV catalog

CISA updates KEV catalog with two vulnerabilities