← CRA Glossary
Security Standards & Frameworks

CISA Known Exploited Vulnerabilities (KEV) Catalogue

The CISA Known Exploited Vulnerabilities (KEV) catalogue is a curated list maintained by the US Cybersecurity and Infrastructure Security Agency that identifies CVEs for which there is credible evidence of active exploitation in the wild. For EU manufacturers, the KEV catalogue is the highest-priority vulnerability intelligence source — any KEV entry affecting a shipped product triggers the CRA's 24-hour ENISA notification obligation.

The CISA Known Exploited Vulnerabilities (KEV) catalogue is a curated list maintained by the US Cybersecurity and Infrastructure Security Agency that identifies CVEs for which there is credible evidence of active exploitation in the wild. For EU manufacturers, the KEV catalogue is the highest-priority vulnerability intelligence source — any KEV entry affecting a shipped product triggers the CRA's 24-hour ENISA notification obligation.

Security Standards & Frameworks
Free CVD portal →

What Is the CISA KEV Catalogue?

The CISA Known Exploited Vulnerabilities (KEV) catalogue is a continuously updated list of CVEs that the US Cybersecurity and Infrastructure Security Agency (CISA) has determined are being actively exploited by threat actors in the wild. Unlike the NVD, which lists all known vulnerabilities, the KEV catalogue is a curated, high-signal subset: entry requires credible evidence of active exploitation — not theoretical exploitability. The catalogue is publicly accessible and machine-readable (JSON format), and is updated when CISA receives reliable exploitation evidence. As of 2025, the catalogue contains thousands of entries across a wide range of software and hardware products.

CRA reference:Article 14(1)

Why the KEV Catalogue Is Critical for CRA Compliance

Article 14(1) of the CRA requires manufacturers to notify ENISA within 24 hours of becoming aware that a vulnerability in their product is being actively exploited. The CISA KEV catalogue is the most reliable public signal of active exploitation. If a KEV entry is published for a CVE affecting a component in a manufacturer's shipped product, this is prima facie evidence that the Article 14(1) trigger has been met and the 24-hour notification clock has started. Manufacturers who monitor the KEV catalogue continuously and have it integrated with their SBOM management will know within hours whether a new KEV entry affects their products — enabling them to meet the notification deadline.

CRA reference:Article 14(1)

How Manufacturers Integrate KEV Monitoring

Manufacturers should integrate KEV monitoring into their vulnerability management workflow as a highest-priority alert source. Practical implementation includes: (1) subscribing to the CISA KEV RSS feed or API endpoint; (2) configuring SCA and SBOM management tools to cross-reference new KEV additions against the component inventory of all shipped products; (3) defining a specific incident response playbook for KEV matches — distinct from standard CVE triage — with a defined escalation path and ENISA notification template; (4) testing this playbook in regular tabletop exercises; and (5) ensuring the on-call product security team is alerted immediately when a KEV addition matches a shipped product component. Time-to-detect is critical given the 24-hour notification window.

CRA reference:Article 14(1), Article 13(3)

Common Mistakes

The most dangerous mistake is treating the KEV catalogue as a US-specific resource with no EU relevance. The CRA's active exploitation notification trigger is not geographically limited — exploitation evidence from any region, including KEV catalogue addition, counts as the trigger. Manufacturers who monitor only European threat intelligence sources will miss KEV additions that would trigger their Article 14(1) obligations. A second error is not having a KEV-specific response workflow: standard CVE triage processes are typically too slow (days to weeks) to meet the 24-hour notification window that KEV additions effectively trigger.

CRA reference:Article 14(1)

CVD Portal makes CISA Known Exploited Vulnerabilities (KEV) Catalogue compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does a KEV catalogue addition automatically trigger the CRA's 24-hour ENISA notification?+

A KEV addition for a CVE affecting a component in a manufacturer's shipped product constitutes credible evidence that the vulnerability is actively exploited, which is the trigger for the Article 14(1) 24-hour notification obligation. Manufacturers should treat KEV additions affecting their products as triggering the notification clock from the moment they become aware of the KEV entry. They should not wait for independent confirmation of exploitation before beginning the notification process.

Is the CISA KEV catalogue relevant to EU manufacturers or only to US companies?+

The CISA KEV catalogue is a global vulnerability intelligence resource, not a US-only list. Active exploitation of software vulnerabilities is not geographically constrained — threat actors exploiting a vulnerability in the US are typically doing so globally. EU manufacturers and ENISA both use the KEV catalogue as a primary reference for actively exploited vulnerabilities. The CRA's notification obligation is triggered by active exploitation regardless of where in the world the exploitation is observed.

How frequently is the CISA KEV catalogue updated?+

The CISA KEV catalogue is updated on an ongoing basis as CISA receives and evaluates exploitation evidence. New entries can be added at any time, with multiple additions sometimes occurring in a single day during periods of high threat actor activity. Manufacturers should not rely on daily manual checks: the KEV API and JSON feed should be integrated into automated monitoring systems that alert the product security team immediately when a new entry is added that matches a component in their SBOM.

Related terms

Common Vulnerabilities and Exposures (CVE)CVE is a public catalogue of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g. CVE-2024-12345) maintained by MITRE. Under the CRA, manufacturers are expected to track CVEs affecting their products and report actively exploited vulnerabilities to ENISA.National Vulnerability Database (NVD)The National Vulnerability Database (NVD) is the US government's comprehensive repository of CVE records enriched with CVSS severity scores, CWE classifications, and CPE product identifiers, maintained by NIST. It is the primary machine-readable vulnerability intelligence source used by SCA tools and vulnerability scanners globally, including by EU manufacturers complying with the CRA.ExploitAn exploit is code, data, or a sequence of commands that takes advantage of a vulnerability to cause unintended behaviour in software or hardware. Under the EU Cyber Resilience Act, manufacturers must actively track and remediate vulnerabilities before exploits are developed and weaponised.Incident ResponseIncident response is the organised process for detecting, containing, investigating, and recovering from cybersecurity incidents — events where a product's security has been or may have been compromised. The EU Cyber Resilience Act requires manufacturers to have incident response capabilities and to notify authorities within strict timeframes when security incidents occur.

CRA articles using this term

Article 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how CISA Known Exploited Vulnerabilities (KEV) Catalogue fits into your complete CRA compliance programme.

View checklists →