From KEV to Action: Using CISA’s Known Exploited Vulnerabilities to Prioritise Patching

What the KEV Catalog Is and Why It Matters

Security teams face a familiar challenge: too many vulnerabilities, not enough time. Modern scanners can surface thousands of findings across servers, endpoints, network devices and applications. The real question is which vulnerabilities attackers are actually exploiting.

The US Cybersecurity and Infrastructure Security Agency (CISA) created the Known Exploited Vulnerabilities (KEV) catalog to address this problem. It is a curated list of vulnerabilities that are confirmed to be used in real-world attacks.

Each entry includes details such as:

• The affected products and versions
• A brief description of the vulnerability
• A reference to official advisories and patches
• A due date by which US federal agencies must apply remediation

While created for US government environments, KEV has become a valuable resource for organisations worldwide.

Why exploited vulnerabilities deserve a separate queue

Not all critical-severity vulnerabilities are equal. A flaw with a CVSS score of 9.8 and no known exploitation in the wild may be less urgent than a 7.8 vulnerability heavily abused by ransomware operators.

Prioritising vulnerabilities that appear in KEV helps:

• Focus resources on issues with proven exploitation
• Reduce exposure to opportunistic scanning and automated attacks
• Demonstrate risk-based decision-making to auditors and executives

Rather than replacing traditional severity ratings, KEV adds a practical dimension: evidence that attackers are investing effort in a specific flaw.

KEV in the Real World: Lessons from Recent Vulnerabilities

Recent years have seen multiple high-impact vulnerabilities added to KEV, across network equipment, application frameworks and developer tools. (See: The Hacker News)

These include:

• Flaws in web application frameworks that enabled remote code execution
• Critical vulnerabilities in VPN and remote access devices
• Issues in widely used developer tools such as Git that allowed repository hijacking
• Memory over-read flaws in application delivery controllers leading to credential theft

What they tell us about attackers’ priorities

The pattern is clear. Attackers target:

• Choke points that grant access to many systems at once, such as VPN gateways and identity providers
• Components used at scale across industries, maximising return on exploitation research
• Vulnerabilities that are easy to scan for and weaponise

By aligning patching efforts with KEV, organisations can better defend against these broad campaigns.

Building a KEV-Aware Vulnerability Management Program

To benefit from KEV, organisations need more than a bookmarked URL. They need to integrate KEV into day-to-day vulnerability management.

Mapping KEV entries to your asset inventory

Start by ensuring that your asset inventory includes:

• Vendor and product names
• Versions and build numbers
• Deployment locations and business owners

With this data, you can:

• Automatically match new KEV entries to affected systems
• Estimate potential impact based on where those systems sit in your architecture
• Identify gaps where inventory is incomplete or outdated

Without a reliable inventory, KEV mapping becomes manual and error-prone.

Aligning patch SLAs with real exploitation data

Many organisations maintain standard patching SLAs, for example 30 days for critical vulnerabilities. KEV enables more nuanced policies, such as:

• Shorter SLAs for vulnerabilities listed in KEV and exposed to the internet
• Different timelines for internal-only systems where compensating controls exist
• Clear escalation paths when KEV-listed vulnerabilities remain unpatched past due dates

This approach brings vulnerability management closer to risk management, not just compliance.

Integrating KEV with Your Existing Tools and Processes

KEV should complement, not replace, existing tooling.

Combining KEV with scanners, SIEM and MDR

Practical steps include:

• Importing KEV data into your vulnerability management platform
• Tagging scanner findings that match KEV entries
• Creating SIEM rules to monitor for exploitation attempts against KEV-listed vulnerabilities
• Ensuring your MDR provider actively tracks KEV-related activity in customer environments

DACTA’s Vulnerability Monitoring and Managed Detection & Response services incorporate threat intelligence feeds, including exploited vulnerabilities, to focus monitoring and response on high-risk issues.

Reporting meaningful metrics to executives and the board

Executives do not need every technical detail, but they do need clear answers to questions such as:

• How many KEV-listed vulnerabilities affect systems in our environment
• How quickly we patch KEV vulnerabilities compared to our own targets
• Whether there are repeated delays in specific business units or technology stacks

These metrics help shift the conversation from raw vulnerability counts to demonstrable reduction in exposure to known attack paths.

Where DACTA Fits in Your Patch and Exposure Strategy

KEV is one part of a broader exposure management story. Many organisations struggle with:

• Fragmented vulnerability scanning across different teams or regions
• Limited in-house expertise to interpret scanner output in context
• Difficulty linking technical findings to business risk and regulatory requirements

DACTA can support at several levels:

• Risk Assessment engagements that map vulnerabilities, including KEV items, to your critical services and data flowsDacta Global
• Vulnerability Monitoring services that continuously track exposed assets and misconfigurations
• Incident Response support if KEV-listed vulnerabilities are exploited before remediation

By combining these elements, organisations can move from reactive patching to proactive exposure management.

Conclusion: Turn KEV into a Practical Advantage

In a world of endless vulnerability disclosures, CISA’s Known Exploited Vulnerabilities catalog offers a rare commodity: clarity. It highlights the vulnerabilities that matter most to adversaries today.

By integrating KEV into asset inventory, patch policies, monitoring and executive reporting, security leaders can demonstrate tangible risk reduction and align efforts with real-world threats.

For organisations seeking to mature their vulnerability management program, using KEV as a backbone for prioritisation is a pragmatic step. Combined with expert partners such as DACTA, it can transform patching from a never-ending chore into a focused, high-value security control.

‍