Reading the KEV catalog: what “known exploited” really means

CISA’s Known Exploited Vulnerabilities (KEV) catalog is the closest thing the industry has to ground truth: a CVE lands on it when there is reliable evidence of active exploitation in the wild. That is a far stronger claim than a high CVSS or even a high EPSS — it is observation, not prediction.

What inclusion implies

• Real-world exploitation has been observed — this is not theoretical.
• For US federal agencies, a remediation due date attaches under BOD 22-01.
• A subset are flagged as used in known ransomware campaigns.

What it does not imply

Absence from KEV is not safety. The catalog lags the leading edge of exploitation, and it only covers what CISA can confirm. This is precisely why EPSS is a useful complement: it surfaces probable-but-not-yet-confirmed activity before the KEV entry appears. Treat KEV as the floor of your priority list, not the ceiling.

How PublicCVE surfaces it

KEV-listed CVEs carry a badge everywhere they appear, the Recently exploited view tracks the newest additions, and the Ransomware-linked view narrows to the campaigns that matter most. Each is available as a JSON, RSS, or CSV feed so you can wire it straight into your own tooling.