CISA's Known Exploited Vulnerabilities (KEV) catalog is the U.S. government's list of CVEs confirmed to be actively exploited in the wild. CISA only adds a CVE after observing real-world exploitation. The catalog has over 1,583 entries and is updated several times a week. Federal agencies are required to patch KEV entries on a deadline; for everyone else it's the highest-signal patching priority list available for free.

Vulnerability Intelligence · Updated daily from CISA KEV, EPSS & NVD

Trending CVEs

Q: What is EPSS?

EPSS (Exploit Prediction Scoring System) is a model maintained by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Each CVE gets a score between 0 and 1, plus a percentile. EPSS is a forecast, not an observation. It complements KEV: KEV tells you what is being exploited, EPSS predicts what is most likely to be next.

Q: How do you map threat actors to CVEs?

The actor-to-CVE mapping is curated from public reporting: vendor advisories (Microsoft, Cisco, Fortinet), threat-intel write-ups (Mandiant, CrowdStrike, Talos), MITRE ATT&CK group references, CISA joint advisories, and DFIR case studies. We track which named groups (APT28, FIN7, Lazarus, ransomware affiliates, etc.) have been documented exploiting each CVE. The count shown is distinct attributed actors, not exploitation attempts.

Q: Can I subscribe to KEV updates?

Yes. Free options include CISA's own RSS feed and JSON export at cisa.gov. SecurityAlert.ai also republishes KEV additions through /api/misp/events (MISP-compatible JSON) and a TAXII 2.1 collection on Enterprise plans. For email alerts on new KEV entries that affect your stack, configure a brand or tech monitor on the dashboard.

The vulnerabilities you should know about right now, across three lenses: CISA's actively-exploited list, EPSS's exploit-prediction score, and our threat-actor attribution catalog.

KEV additions · 30 days

KEV used by ransomware

CVEs with actor attribution

KEV catalog · all-time

Recently added to CISA KEV last 90 days

Loading…

Highest EPSS exploit probability predicted next 30 days

Loading…

Most actor-attributed threat actors known to use

Loading…

How we choose "trending"

Three lenses, three different questions. The list at the top of this page is the union of three independent rankings, not a single composite score. Each lens captures something the others miss.

Recent KEV additions shows CVEs that CISA added to the Known Exploited Vulnerabilities catalog in the last 90 days. KEV is the highest-confidence signal available: an entry means CISA has observed real-world exploitation, usually corroborated by vendor advisories, incident response reports, or government partner intelligence. Over 1,583 CVEs are in the catalog all-time. If a CVE shows up here, patching it is no longer a theoretical exercise.

Highest EPSS exploit probability is forward-looking. EPSS, maintained by FIRST.org, scores each published CVE between 0 and 1 based on the probability it will be exploited in the next 30 days. The model uses features like exploit-code availability, vulnerability characteristics, and historical exploitation patterns. EPSS surfaces CVEs that are not yet on KEV but are statistically likely to land there.

Most actor-attributed ranks by the number of distinct named threat actors documented using the CVE in real intrusions. Some vulnerabilities accumulate a long roster of users (state-sponsored APTs, financially motivated crews, ransomware affiliates) because they are reliable, widely deployed, and not yet patched at scale. A high actor count tells you a CVE is part of the working toolkit, not just a lab finding.

Why three lenses instead of one ranked list? Because the signals disagree, and the disagreement is informative. A CVE on KEV with low EPSS is being exploited but the model did not predict it. A high-EPSS CVE not yet on KEV is the model's best guess at the next addition. Collapsing them into one number hides the reasoning.

Reading a CVE intel page

Click any CVE ID and you land on /cve/CVE-YYYY-NNNN, a single-page intelligence brief. Each page is free and public, with no signup required. You'll see:

CVSS v3 score and severity. Numeric base score plus the qualitative band: critical, high, medium, or low. Where vendors publish CVSS v3.1 vector strings, those are shown too.
CISA KEV catalog status. Whether the CVE is on KEV, the date it was added, the required-action deadline for federal agencies, and the ransomware-used flag CISA sets when leak-site or DFIR reporting confirms ransomware involvement.
EPSS score and percentile. The probability the CVE will be exploited in the next 30 days, and how it ranks against every other published CVE.
Threat actors known to exploit. A list of named groups, with links to their per-actor profile and the public source we used for the attribution.
Affected vendor and product. CPE-derived where possible, plus a plain-language summary. Helpful for piping into asset-management queries.

The pages render server-side and are linkable. Drop them into incident tickets or share them in Slack. No paywall, no login wall.

Frequently asked questions

What is a CVE?

A CVE (Common Vulnerabilities and Exposures) is a public identifier for a specific software flaw. The CVE program is run by MITRE and funded by CISA. Each CVE has a unique ID like CVE-2024-12345, a description, the affected product, and usually a CVSS severity score.

What is CISA KEV?

CISA's Known Exploited Vulnerabilities catalog is the U.S. government's list of CVEs confirmed exploited in the wild. CISA only adds a CVE after observing real-world exploitation. Over 1,583 entries all-time, updated several times a week. Federal agencies must patch on a deadline; everyone else gets the highest-signal patching priority list available for free.

What is EPSS?

EPSS (Exploit Prediction Scoring System) is a model from FIRST.org that estimates the probability a CVE will be exploited in the next 30 days. Each CVE gets a score between 0 and 1 plus a percentile rank. EPSS is a forecast, not an observation. It complements KEV: KEV tells you what's being exploited, EPSS predicts what's most likely next.

Why does a high-CVSS CVE not always make the KEV list?

CVSS measures theoretical severity: how bad the impact would be if exploited. KEV requires evidence of real-world exploitation. Many critical-rated CVEs are never used by attackers because exploitation is hard, the product has low deployment, or attackers prefer easier targets. CVSS, EPSS, and KEV answer different questions: how bad, how likely, is it happening.

How do you map threat actors to CVEs?

Curated from public reporting: vendor advisories, threat-intel write-ups (Mandiant, CrowdStrike, Talos), MITRE ATT&CK group references, CISA joint advisories, and DFIR case studies. The count shown is distinct attributed actors, not exploitation attempts.

Can I subscribe to KEV updates?

Yes. CISA publishes its own RSS feed and JSON export. SecurityAlert.ai also republishes KEV additions through /api/misp/events (MISP-compatible JSON) and a TAXII 2.1 collection on Enterprise plans. For email alerts on new KEV entries affecting your stack, configure a brand or tech monitor on the dashboard.