SARA / Free Tools / KEV Browser

CISA Known Exploited Vulnerabilities — searchable, filterable

Browse every CVE in the CISA KEV catalog. Filter by vendor, product, ransomware use, or BOD 22-01 due date. Updated daily from cisa.gov.

CVEVendorProductAddedDueRansomTriage
CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) 2025-05-19 2025-06-09 Triage →
CVE-2025-42999 SAP NetWeaver 2025-05-15 2025-06-05 Triage →
CVE-2024-12987 DrayTek Vigor Routers 2025-05-15 2025-06-05 Triage →
CVE-2025-32756 Fortinet Multiple Products 2025-05-14 2025-06-04 Triage →
CVE-2025-27038 Qualcomm Multiple Chipsets 2025-06-03 2025-06-24 Triage →
CVE-2021-32030 ASUS Routers 2025-06-02 2025-06-23 Triage →
CVE-2025-33053 Microsoft Windows 2025-06-10 2025-07-01 Triage →
CVE-2025-24016 Wazuh Wazuh Server 2025-06-10 2025-07-01 Triage →
CVE-2023-38950 ZKTeco BioTime 2025-05-19 2025-06-09 Triage →
CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) 2025-05-19 2025-06-09 Triage →
CVE-2025-31201 Apple Multiple Products 2025-04-17 2025-05-08 Triage →
CVE-2025-31200 Apple Multiple Products 2025-04-17 2025-05-08 Triage →
CVE-2021-20035 SonicWall SMA100 Appliances 2025-04-16 2025-05-07 Triage →
CVE-2025-47729 TeleMessage TM SGNL 2025-05-12 2025-06-02 Triage →
CVE-2024-11120 GeoVision Multiple Devices 2025-05-07 2025-05-28 Triage →
CVE-2024-6047 GeoVision Multiple Devices 2025-05-07 2025-05-28 Triage →
CVE-2025-34028 Commvault Command Center 2025-05-02 2025-05-23 Triage →
CVE-2024-58136 Yiiframework Yii 2025-05-02 2025-05-23 Triage →
CVE-2024-38475 Apache HTTP Server 2025-05-01 2025-05-22 Triage →
CVE-2025-32709 Microsoft Windows 2025-05-13 2025-06-03 Triage →
CVE-2025-30397 Microsoft Windows 2025-05-13 2025-06-03 Triage →
CVE-2025-32706 Microsoft Windows 2025-05-13 2025-06-03 Triage →
CVE-2025-1976 Broadcom Brocade Fabric OS 2025-04-28 2025-05-19 Triage →
CVE-2025-42599 Qualitia Active! Mail 2025-04-28 2025-05-19 Triage →
CVE-2022-23176 WatchGuard Firebox and XTM 2022-04-11 2022-05-02 Triage →
CVE-2021-42287 Microsoft Active Directory 2022-04-11 2022-05-02 Ransomware Triage →
CVE-2021-42278 Microsoft Active Directory 2022-04-11 2022-05-02 Ransomware Triage →
CVE-2021-39793 Google Pixel 2022-04-11 2022-05-02 Triage →
CVE-2021-27852 Checkbox Checkbox Survey 2022-04-11 2022-05-02 Triage →
CVE-2021-22600 Linux Kernel 2022-04-11 2022-05-02 Triage →
CVE-2020-2509 QNAP QNAP Network-Attached Storage (NAS) 2022-04-11 2022-05-02 Triage →
CVE-2017-11317 Telerik User Interface (UI) for ASP.NET AJAX 2022-04-11 2022-05-02 Triage →
CVE-2021-3156 Sudo Sudo 2022-04-06 2022-04-27 Triage →
CVE-2021-31166 Microsoft HTTP Protocol Stack 2022-04-06 2022-04-27 Triage →
CVE-2017-0148 Microsoft SMBv1 server 2022-04-06 2022-04-27 Ransomware Triage →
CVE-2022-22965 VMware Spring Framework 2022-04-04 2022-04-25 Triage →
CVE-2022-22675 Apple macOS 2022-04-04 2022-04-25 Triage →
CVE-2022-22960 VMware Multiple Products 2022-04-15 2022-05-06 Triage →
CVE-2022-1364 Google Chromium V8 2022-04-15 2022-05-06 Triage →
CVE-2019-3929 Crestron Multiple Products 2022-04-15 2022-05-06 Triage →
CVE-2019-3568 Meta Platforms WhatsApp 2022-04-19 2022-05-10 Triage →
CVE-2022-22718 Microsoft Windows 2022-04-19 2022-05-10 Triage →
CVE-2016-4523 Trihedral VTScada (formerly VTS) 2022-04-15 2022-05-06 Triage →
CVE-2014-0780 InduSoft Web Studio 2022-04-15 2022-05-06 Triage →
CVE-2022-26871 Trend Micro Apex Central 2022-03-31 2022-04-21 Triage →
CVE-2022-1040 Sophos Firewall 2022-03-31 2022-04-21 Triage →
CVE-2021-34484 Microsoft Windows 2022-03-31 2022-04-21 Triage →
CVE-2022-22674 Apple macOS 2022-04-04 2022-04-25 Triage →
CVE-2021-45382 D-Link Multiple Routers 2022-04-04 2022-04-25 Triage →
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager 2022-04-14 2022-05-05 Ransomware Triage →
← Prev Page 20 of 33 · 1631 entries Next →

ReferenceWhat is the CISA KEV catalog?

The Known Exploited Vulnerabilities (KEV) catalog is a CISA-maintained list of CVEs confirmed to be actively exploited in the wild. It is the authoritative answer to "is this vulnerability really being used by attackers?" Unlike EPSS (which is a probability), KEV is a binary, evidence-based signal — if a CVE is on the KEV list, it has been observed in real attacks.

For US federal agencies, BOD 22-01 makes remediation of KEV CVEs mandatory by the listed due date. For everyone else, KEV is the strongest possible "patch this now" signal you can get from public threat intel.

When to useWhen should I use KEV?

Patch prioritization

KEV is your strict "patch this immediately" tier. Anything in KEV outranks any EPSS or CVSS calculation in priority.

Compliance reporting

Federal agencies and federal contractors must show KEV remediation against BOD 22-01. KEV exposure is increasingly a question on cyber-insurance applications and audit checklists.

Tabletop exercises

Run "what if a KEV CVE matched our asset inventory tomorrow?" — most SOCs have never tested that pipeline end-to-end.

Threat-intel feeds

Pipe KEV diffs into your SIEM as a high-priority detection input. Anything new in KEV today should map to your environment within 24 hours.

ComparisonKEV vs EPSS vs CVSS — how do they fit together?

SignalWhat it answersUse
CVSSHow bad is this vulnerability if it is exploited?Severity (theoretical)
EPSSHow likely is this vulnerability to be exploited in the next 30 days?Probability (forecast)
KEVIs this vulnerability already being exploited, with public evidence?Binary (confirmed)

The right priority order, in plain English: anything in KEV is patched first. Among non-KEV items, sort by EPSS percentile descending. Use CVSS as a tiebreaker.

API

Want this in your SOAR or SIEM?

SARA Open ships an OpenAI-compatible API. Call POST /api/v1/analyze — SARA returns EPSS, CVSS, KEV status, and an analyst-grade written summary in one call.

curl -X POST https://sara-open.sirp.io/api/v1/analyze \
  -H "Authorization: Bearer $SARA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type": "cve", "value": "CVE-2021-44228"}'
Read the API reference →

FAQFrequently asked questions

How often does CISA update the KEV catalog?
Whenever new exploitation evidence is confirmed — typically several updates per month, sometimes multiple in a week. This browser refreshes from CISA daily and reflects the most recent ingest.
Is the KEV catalog mandatory for non-federal organizations?
No, but it is widely treated as the de-facto standard for must-patch prioritization, and is increasingly cited by cyber-insurers, auditors, and regulators.
What does ransomware use mean in the KEV catalog?
CISA flags CVEs known to have been exploited in ransomware campaigns. This is the highest-urgency tier for many SOCs and a frequent input to ransomware tabletop exercises.
Can I bulk-export the KEV catalog?
Yes. CISA publishes the full catalog as JSON and CSV directly. SARA's API additionally returns SARA's analyst-written summary alongside each row — useful for triage queues.
Does this browser show every KEV CVE, or just popular ones?
Every entry in the catalog. The full list is searchable here.
What is BOD 22-01?
Binding Operational Directive 22-01, issued by CISA, requires US federal civilian executive-branch agencies to remediate vulnerabilities in the KEV catalog by the listed due date. Most non-federal organizations adopt similar SLAs informally.

Browse related toolsKeep exploring

Looking for more?

Ask SARA — our AI security analyst — for full CVE context, exploit chains, and detection rules.

Try SARA