SARA / Free Tools / KEV Browser

CISA Known Exploited Vulnerabilities — searchable, filterable

Browse every CVE in the CISA KEV catalog. Filter by vendor, product, ransomware use, or BOD 22-01 due date. Updated daily from cisa.gov.

CVEVendorProductAddedDueRansomTriage
CVE-2017-9248 Progress ASP.NET AJAX and Sitefinity 2021-11-03 2022-05-03 Triage →
CVE-2017-6327 Symantec Symantec Messaging Gateway 2021-11-03 2022-05-03 Triage →
CVE-2019-18187 Trend Micro OfficeScan 2021-11-03 2022-05-03 Triage →
CVE-2020-24557 Trend Micro Apex One, OfficeScan, and Worry-Free Business Security 2021-11-03 2022-05-03 Triage →
CVE-2020-8467 Trend Micro Apex One and OfficeScan 2021-11-03 2022-05-03 Triage →
CVE-2020-8599 Trend Micro Apex One and OfficeScan 2021-11-03 2022-05-03 Triage →
CVE-2021-36741 Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security 2021-11-03 2021-11-17 Triage →
CVE-2020-8468 Trend Micro Apex One, OfficeScan and Worry-Free Business Security Agents 2021-11-03 2022-05-03 Triage →
CVE-2019-20085 TVT NVMS-1000 2021-11-03 2022-05-03 Triage →
CVE-2021-36742 Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security 2021-11-03 2021-11-17 Triage →
CVE-2020-5849 Unraid Unraid 2021-11-03 2022-05-03 Triage →
CVE-2020-3952 VMware vCenter Server 2021-11-03 2022-05-03 Triage →
CVE-2020-17496 vBulletin vBulletin 2021-11-03 2022-05-03 Triage →
CVE-2020-3950 VMware Multiple Products 2021-11-03 2022-05-03 Triage →
CVE-2020-3992 VMware ESXi 2021-11-03 2022-05-03 Ransomware Triage →
CVE-2019-5544 VMware VMware ESXi and Horizon DaaS 2021-11-03 2022-05-03 Ransomware Triage →
CVE-2019-16759 vBulletin vBulletin 2021-11-03 2022-05-03 Triage →
CVE-2020-5847 Unraid Unraid 2021-11-03 2022-05-03 Triage →
CVE-2021-21972 VMware vCenter Server 2021-11-03 2021-11-17 Ransomware Triage →
CVE-2021-22005 VMware vCenter Server 2021-11-03 2021-11-17 Ransomware Triage →
CVE-2021-21985 VMware vCenter Server 2021-11-03 2021-11-17 Ransomware Triage →
CVE-2020-25213 WordPress File Manager Plugin 2021-11-03 2022-05-03 Triage →
CVE-2020-10189 Zoho ManageEngine 2021-11-03 2022-05-03 Triage →
CVE-2019-9978 WordPress Social Warfare Plugin 2021-11-03 2022-05-03 Triage →
CVE-2020-4006 VMware Multiple Products 2021-11-03 2022-05-03 Triage →
CVE-2021-27561 Yealink Device Management 2021-11-03 2021-11-17 Triage →
CVE-2019-8394 Zoho ManageEngine 2021-11-03 2022-05-03 Triage →
CVE-2020-11738 WordPress Snap Creek Duplicator Plugin 2021-11-03 2022-05-03 Triage →
CVE-2021-40539 Zoho ManageEngine 2021-11-03 2021-11-17 Ransomware Triage →
CVE-2020-29583 Zyxel Multiple Products 2021-11-03 2022-05-03 Triage →
CVE-2023-27350 PaperCut MF/NG 2023-04-21 2023-05-12 Ransomware Triage →
CVE-2023-1389 TP-Link Archer AX21 2023-05-01 2023-05-22 Triage →
CVE-2021-45046 Apache Log4j2 2023-05-01 2023-05-22 Ransomware Triage →
CVE-2004-1464 Cisco IOS 2023-05-19 2023-06-09 Triage →
CVE-2016-6415 Cisco IOS, IOS XR, and IOS XE 2023-05-19 2023-06-09 Triage →
CVE-2023-29336 Microsoft Win32k 2023-05-09 2023-05-30 Triage →
CVE-2021-3560 Red Hat Polkit 2023-05-12 2023-06-02 Triage →
CVE-2023-21839 Oracle WebLogic Server 2023-05-01 2023-05-22 Triage →
CVE-2015-5317 Jenkins Jenkins User Interface (UI) 2023-05-12 2023-06-02 Triage →
CVE-2023-26083 Arm Mali Graphics Processing Unit (GPU) 2023-04-07 2023-04-28 Triage →
CVE-2022-27926 Synacor Zimbra Collaboration Suite (ZCS) 2023-04-03 2023-04-24 Triage →
CVE-2017-6742 Cisco IOS and IOS XE Software 2023-04-19 2023-05-10 Triage →
CVE-2019-8526 Apple macOS 2023-04-17 2023-05-08 Triage →
CVE-2023-20963 Android Framework 2023-04-13 2023-05-04 Triage →
CVE-2023-29492 Novi Survey Novi Survey 2023-04-13 2023-05-04 Triage →
CVE-2023-28206 Apple iOS, iPadOS, and macOS 2023-04-10 2023-05-01 Triage →
CVE-2021-27876 Veritas Backup Exec Agent 2023-04-07 2023-04-28 Ransomware Triage →
CVE-2021-27877 Veritas Backup Exec Agent 2023-04-07 2023-04-28 Ransomware Triage →
CVE-2021-27878 Veritas Backup Exec Agent 2023-04-07 2023-04-28 Ransomware Triage →
CVE-2019-1388 Microsoft Windows 2023-04-07 2023-04-28 Ransomware Triage →
← Prev Page 20 of 33 · 1631 entries Next →

ReferenceWhat is the CISA KEV catalog?

The Known Exploited Vulnerabilities (KEV) catalog is a CISA-maintained list of CVEs confirmed to be actively exploited in the wild. It is the authoritative answer to "is this vulnerability really being used by attackers?" Unlike EPSS (which is a probability), KEV is a binary, evidence-based signal — if a CVE is on the KEV list, it has been observed in real attacks.

For US federal agencies, BOD 22-01 makes remediation of KEV CVEs mandatory by the listed due date. For everyone else, KEV is the strongest possible "patch this now" signal you can get from public threat intel.

When to useWhen should I use KEV?

Patch prioritization

KEV is your strict "patch this immediately" tier. Anything in KEV outranks any EPSS or CVSS calculation in priority.

Compliance reporting

Federal agencies and federal contractors must show KEV remediation against BOD 22-01. KEV exposure is increasingly a question on cyber-insurance applications and audit checklists.

Tabletop exercises

Run "what if a KEV CVE matched our asset inventory tomorrow?" — most SOCs have never tested that pipeline end-to-end.

Threat-intel feeds

Pipe KEV diffs into your SIEM as a high-priority detection input. Anything new in KEV today should map to your environment within 24 hours.

ComparisonKEV vs EPSS vs CVSS — how do they fit together?

SignalWhat it answersUse
CVSSHow bad is this vulnerability if it is exploited?Severity (theoretical)
EPSSHow likely is this vulnerability to be exploited in the next 30 days?Probability (forecast)
KEVIs this vulnerability already being exploited, with public evidence?Binary (confirmed)

The right priority order, in plain English: anything in KEV is patched first. Among non-KEV items, sort by EPSS percentile descending. Use CVSS as a tiebreaker.

API

Want this in your SOAR or SIEM?

SARA Open ships an OpenAI-compatible API. Call POST /api/v1/analyze — SARA returns EPSS, CVSS, KEV status, and an analyst-grade written summary in one call.

curl -X POST https://sara-open.sirp.io/api/v1/analyze \
  -H "Authorization: Bearer $SARA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type": "cve", "value": "CVE-2021-44228"}'
Read the API reference →

FAQFrequently asked questions

How often does CISA update the KEV catalog?
Whenever new exploitation evidence is confirmed — typically several updates per month, sometimes multiple in a week. This browser refreshes from CISA daily and reflects the most recent ingest.
Is the KEV catalog mandatory for non-federal organizations?
No, but it is widely treated as the de-facto standard for must-patch prioritization, and is increasingly cited by cyber-insurers, auditors, and regulators.
What does ransomware use mean in the KEV catalog?
CISA flags CVEs known to have been exploited in ransomware campaigns. This is the highest-urgency tier for many SOCs and a frequent input to ransomware tabletop exercises.
Can I bulk-export the KEV catalog?
Yes. CISA publishes the full catalog as JSON and CSV directly. SARA's API additionally returns SARA's analyst-written summary alongside each row — useful for triage queues.
Does this browser show every KEV CVE, or just popular ones?
Every entry in the catalog. The full list is searchable here.
What is BOD 22-01?
Binding Operational Directive 22-01, issued by CISA, requires US federal civilian executive-branch agencies to remediate vulnerabilities in the KEV catalog by the listed due date. Most non-federal organizations adopt similar SLAs informally.

Browse related toolsKeep exploring

Looking for more?

Ask SARA — our AI security analyst — for full CVE context, exploit chains, and detection rules.

Try SARA