Actively Exploited Vulnerability

An actively exploited vulnerability is one for which credible evidence exists that it is being used by threat actors in real-world attacks — not merely demonstrated in a proof-of-concept or published as a theoretical risk, but actually weaponised against live systems. Evidence of active exploitation includes: threat intelligence reports from security researchers, ISACs, or vendors documenting exploitation attempts; incident response cases attributing attacks to a specific vulnerability; honeypot or telemetry data showing exploitation attempts in the wild; or inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalogue. The distinction between theoretical and active exploitation matters significantly under the CRA because it triggers the most time-critical notification obligation.

Article 14 of the CRA establishes a cascading notification obligation when a manufacturer becomes aware of an actively exploited vulnerability in their product:

• Within 24 hours: Submit an early warning to ENISA (via the EUVDB portal) identifying the vulnerability and confirming that active exploitation is occurring. This is a notification of awareness, not a full analysis.
• Within 72 hours: Submit a fuller notification including the CVE identifier (if assigned), a description of the vulnerability, affected product versions, an assessment of severity, and available mitigations.
• Within 14 days: Submit a final report including the root cause analysis, the remediation plan, and the status of any patch development or deployment.

These timelines are non-negotiable and begin from the moment the manufacturer has credible awareness of exploitation, not from when they confirm it internally.

Manufacturers must establish mechanisms to monitor for exploitation evidence across multiple channels:

• CISA KEV: The CISA Known Exploited Vulnerabilities catalogue is the most authoritative public source. Manufacturers should monitor it for vulnerabilities affecting their products' component stack.
• Threat intelligence feeds: Commercial and open-source threat intelligence platforms aggregate exploitation indicators. Subscribing to feeds relevant to the product's technology stack is essential.
• Security research publications: Exploit proof-of-concept publications on GitHub, Exploit-DB, or researcher blogs often precede or coincide with in-the-wild exploitation.
• Incident telemetry: Manufacturers with cloud-connected products should monitor anomalous usage patterns that may indicate exploitation attempts.
• National CSIRT alerts: EU national CSIRTs and ENISA regularly issue alerts for actively exploited vulnerabilities; subscribing to relevant alerting channels is good practice.

When a manufacturer becomes aware of active exploitation, the response should be immediate and parallel across three tracks:

Track 1 — Notification: Submit the CRA Article 14 notification to ENISA within 24 hours. Prepare follow-on notifications for the 72-hour and 14-day deadlines. Notify national CSIRT and relevant MSA if appropriate.

Track 2 — User protection: Publish an emergency security advisory with interim mitigation guidance (configuration changes, feature disablement, network controls) that users can apply immediately, even before a patch is available.

Track 3 — Remediation: Accelerate patch development, compress testing cycles where safely possible, and prepare the update delivery mechanism for rapid deployment. For exploited vulnerabilities, the normal remediation SLA should be overridden in favour of emergency response timelines.