Skip to content

The KEV Catalog

KEV stands for Known Exploited Vulnerabilities. The catalog is maintained by the U.S. national cyber defense authority. Every entry in the KEV catalog has been confirmed as actively exploited in the wild. This is not a prediction -- it is a documented fact.

Key Facts

  • Launched: November 2021.
  • Current entries: 1,613+ as of June 2026.
  • Updated: Continuously. New entries are added as exploitation is confirmed.
  • BreachSpider ingestion: Every 15 minutes. When a new KEV entry is added, BreachSpider reflects it within 15 minutes.
  • Federal mandate: Federal civilian agencies (FCEB) are required to patch KEV entries within mandated timeframes (typically 14-21 days).
  • Private sector guidance: Federal guidance recommends all organizations treat KEV as their highest priority patch list.

Why KEV Matters for ICS Operators

Many KEV entries affect infrastructure software that ICS environments depend on:

  • VPN appliances: Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiVPN. These are the remote access gateways to your OT network.
  • Firewalls: Palo Alto PAN-OS, Fortinet FortiOS, Cisco ASA. These are your OT perimeter.
  • Remote access tools: TeamViewer, ConnectWise ScreenConnect, Splashtop. Used by vendors and operators to access OT systems remotely.
  • Windows vulnerabilities: Print Spooler, MSHTML, Windows kernel. Affects every Windows-based HMI and engineering workstation.
  • Network infrastructure: Cisco IOS, Juniper Junos. The backbone of your control network.

A KEV entry on your Cisco VPN appliance is not just an IT issue. It is a direct threat to your OT environment because that VPN is the pathway from the internet to your control network.

BreachSpider KEV Features

KEV badge: Every CVE in the KEV catalog displays a red KEV badge on search results, detail pages, findings lists, and the Strike List.

KEV-only filter: In CVE search, toggle the KEV Only filter to show only confirmed exploited vulnerabilities. Use this to review your exposure to the most dangerous CVEs in the corpus.

Dedicated KEV API endpoint:

curl -H "Authorization: Bearer bs_live_..." \
  "https://breachspider.com/api/v1/cves/kev?limit=50&sort=added_date"

Returns KEV entries sorted by when they were added to the catalog. Use this to review recent additions.

KEV match alerts: When a new KEV entry matches an asset in your environment, BreachSpider fires an alert immediately to your configured destinations. This is enabled by default for email alerts. Configure Teams, Slack, or webhook destinations under Integrations.

Strike List elevation: KEV-matched findings appear at the top of your Strike List, above all non-KEV findings regardless of CVSS score.

When a KEV Entry Matches Your Assets

When a CVE is added to the KEV catalog and that CVE matches an asset in your environment, four things happen automatically:

  1. An alert fires to all destinations configured for the kev.new event for that environment.
  2. The finding moves to the top of your Strike List.
  3. BCS score is elevated to reflect the confirmed exploitation status.
  4. SAGE provides ICS-specific context on the exploitation method and recommended response.

Responding to a KEV Match

When you receive a KEV alert:

  1. Open the finding from the alert link or Strike List.
  2. Read the SAGE analysis for ICS-specific context on the exploitation method.
  3. Check patch availability. If a patch exists, schedule application as soon as possible.
  4. If you cannot patch immediately:
    • Implement compensating controls: network isolation, disable the affected service, enhanced monitoring.
    • Acknowledge the finding with reason: compensating_control.
    • Document what control you applied.
  5. Create a ticket to track remediation to completion.
  6. If the affected device is internet-facing (VPN, firewall, remote access): treat as an emergency. The attack surface is directly exposed.

KEV and Compliance

For NERC CIP regulated entities, KEV entries that match BES Cyber Assets represent a documented, confirmed threat. Your CIP-007 patch management program should include a process for accelerated response to KEV entries. BreachSpider's KEV alerts and audit log provide the documentation trail that auditors require.

For IEC 62443 compliance, KEV entries are evidence of active threat activity against your technology stack. Include KEV exposure in your vulnerability management documentation.