What are KEVs? Known Exploited Vulnerabilities Explained

Known Exploited Vulnerabilities, commonly abbreviated as KEVs, are a subset of known vulnerabilities that have been actively exploited in the wild. This means that threat actors can follow an established method for exploiting these security flaws and makes them prime targets for attacks.

Let’s take a look at where KEVs come from, how they fit into existing security strategies, and why it’s important to prioritize these vulnerabilities.


KEVs gained recognition in late 2021 after CISA, the cybersecurity agency of the United States, created a new public database and issued a binding directive to federal agencies to prioritize these vulnerabilities.

This new database, known as the KEV catalog, can be a helpful tool for security practitioners looking to use their remediation resources most effectively. This new database shouldn’t be seen as a replacement of the existing National Vulnerability Database (NVD) but rather as an important addition to existing security prioritization strategies.

KEVs and existing approaches to vulnerability management

If you’re like most security teams, you prioritize remediation based on the severity level of vulnerabilities, starting with critical ones and working your way down to the medium and low severity issues.

In reality, with an ever-expanding list of 160,000 known vulnerabilities, many teams never get very far. And with only 4% of vulnerabilities ever publicly exploited, security experts at CISA realized that focusing on severity alone may not be the most effective use of security resources.

We've long known that the severity of an issue doesn’t necessarily correspond with its likelihood of being exploited. Vulnerabilities rated as critical can be challenging to exploit and often require a very specific set of circumstances. That’s why many threat actors focus on exploiting medium or even low severity vulnerabilities to gain access to a privileged position. They can then use that access as a springboard for further attacks.

Why prioritizing KEVs is critically important

If a vulnerability is easily exploitable, it usually happens fast. This makes time of the essence when dealing with KEVs. According to CISA, 50% of KEVs are exploited within 2 days of being identified as a known vulnerability. And after 28 days, that increases to 75%. This suggests that attackers tend to target security issues that are easier to exploit.

With existing approaches to prioritization, some of these KEVs may not get addressed for months, if at all, which leaves a known entryway to your infrastructure wide open. While your approach to keeping your organization secure will always need to stay flexible to quickly deal with emerging security threats, addressing KEVs as your highest priority item ensures you cut off one of the easiest paths an attacker can take.

KEVs help us understand what vulnerabilities attackers are prioritizing. So, as defenders, we need to prioritize remediating those same issues.

Halo Security’s platform fully incorporates the KEV catalog

To help you incorporate KEVs into your workflow, Halo Security has integrated the KEV catalog into our platform. We’ve added alert banners, new filtering options, as well as additional information on issue pages, so you can quickly address any known exploited vulnerabilities.

If you’re not already a customer, start a trial or book a demo with one of our security experts.