⚡ Key Takeaways

CISA’s Known Exploited Vulnerabilities catalog reached 1,484 entries after a 20% surge in 2025, with 245 new additions and 304 total entries linked to ransomware groups. Organizations adopting KEV-based prioritization patch flagged vulnerabilities 3.5x faster than average, yet 53% of organizations still have open internet-facing vulnerabilities with a median 361-day remediation timeline.

Bottom Line: CISOs should immediately integrate the free CISA KEV catalog into their vulnerability scanners and set 14-day remediation targets for new additions, as the catalog’s threat-informed prioritization demonstrably outperforms traditional CVSS-based approaches.

Read Full Analysis ↓

Advertisement

🧭 Decision Radar

Relevance for Algeria
High
Algeria’s federal and enterprise systems face the same exploited vulnerabilities cataloged by CISA. Adopting KEV-based prioritization would immediately improve patching effectiveness for Algerian organizations, particularly critical infrastructure operators like Sonatrach and Sonelgaz.
Infrastructure Ready?
Partial
Algerian organizations have vulnerability scanning tools, but most lack the automation and change management processes needed to achieve 14-day patching timelines. The catalog itself is freely accessible.
Skills Available?
Partial
Algeria has cybersecurity professionals, but KEV-based vulnerability management requires integration between security teams and operations teams that many organizations have not yet established.
Action Timeline
Immediate
The KEV catalog is free and publicly available today. Algerian CISOs can adopt KEV-based prioritization immediately with no infrastructure investment.
Key Stakeholders
CISOs, IT security teams, system administrators, critical infrastructure operators
Decision Type
Tactical
This article provides an immediately actionable vulnerability prioritization framework that Algerian security teams can adopt today using existing tools and a free public resource.

Quick Take: Every Algerian CISO should integrate CISA’s KEV catalog into their vulnerability management workflow today. The catalog is free, publicly accessible, and provides a curated list of vulnerabilities confirmed to be under active exploitation. Organizations should configure their scanners to flag KEV-listed vulnerabilities as critical regardless of CVSS score, and target 14-day remediation for new KEV additions. This single change can improve patching effectiveness by 3.5x.

The Catalog That Rewrote Vulnerability Prioritization

When CISA launched the Known Exploited Vulnerabilities (KEV) catalog in November 2021 with 311 initial entries, it introduced a radical premise: stop prioritizing vulnerabilities by theoretical severity scores and start prioritizing by confirmed exploitation in the wild. Four years later, the catalog has grown to 1,484 entries as of December 2025 and continues expanding, with seven more entries added on April 13, 2026.

The growth trajectory tells its own story. After an initial 2022 surge of 555 additions as CISA cleared the backlog, the catalog stabilized at around 187 entries per year in 2023 and 2024. Then 2025 saw a renewed acceleration, with 245 new vulnerabilities added, a 20% increase and more than 30% above the prior two-year trend. This acceleration reflects not just increased exploitation activity but improved detection and reporting mechanisms.

The Federal Patching Mandate

Binding Operational Directive 22-01 transformed the KEV catalog from a reference resource into a legal requirement for federal agencies. Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate vulnerabilities assigned CVE identifiers in 2021 or later within two weeks of their addition to the catalog. Older vulnerabilities from before 2021 require remediation within six months.

The directive creates a constant drumbeat of patching urgency. Agencies must complete initial scanning within 48 hours of a new KEV addition and develop remediation plans within 72 hours. This timeline compresses the traditional vulnerability management cycle from months to days, forcing agencies to maintain perpetual readiness for emergency patching.

The mandate applies only to federal civilian agencies, not to the private sector. But the catalog’s influence extends far beyond government.

The Private Sector Follows

The most significant impact of the KEV catalog may be its adoption by organizations with no legal obligation to follow it. Private sector security teams increasingly treat KEV-listed vulnerabilities as their highest priority, using the catalog as a decision filter that cuts through the noise of the 130+ new CVEs disclosed daily.

The results are measurable. Organizations that adopt KEV-based prioritization remediate listed vulnerabilities 3.5 times faster than non-KEV vulnerabilities. The catalog functions as a curated signal in a sea of vulnerability noise, answering the question that matters most to defenders: “Is someone actually exploiting this right now?”

CISA has explicitly encouraged this adoption, stating that while BOD 22-01 applies only to FCEB agencies, it strongly urges all organizations to prioritize KEV catalog remediation as part of their vulnerability management practice. Many security vendors have integrated KEV status into their products, automatically flagging and escalating KEV-listed vulnerabilities.

Advertisement

The Numbers That Should Alarm Every CISO

Despite the catalog’s effectiveness as a prioritization tool, the remediation reality across most organizations remains dire. According to the 2026 Vulnerability Report, 53% of organizations have at least one open internet-facing vulnerability, and 22% have more than 1,000 unpatched internet-facing vulnerabilities.

The median time to close half of internet-facing vulnerabilities is approximately 361 days. Sector-specific figures are worse: utilities average 270 days, healthcare 519 days, and education 577 days. Yet exploitation often occurs within zero to five days of disclosure.

The zero-day threat is accelerating. Zero-day exploitation increased 46% in the first half of 2025, and 32.1% of newly exploited CVEs showed exploitation on or before the day they were publicly disclosed. Attackers are weaponizing vulnerabilities faster than defenders can patch them, creating a structural disadvantage that no amount of patching speed can fully overcome.

Ransomware Groups as KEV Drivers

The intersection of KEV-listed vulnerabilities and ransomware is significant. Of the 1,484 catalog entries, 304 vulnerabilities (20.5%) have been exploited by ransomware groups. CISA specifically flagged 24 of the 245 vulnerabilities added in 2025 as having confirmed ransomware exploitation.

This linkage between the KEV catalog and ransomware campaigns reinforces the catalog’s value as a defensive tool. When a vulnerability appears on the KEV list, it is not a theoretical risk. It is a confirmed weapon in active use, often by financially motivated criminal organizations with the resources and motivation to exploit it at scale.

For organizations evaluating their patch prioritization strategy, the KEV catalog provides a clear answer: if CISA says it is being exploited, treat it as an incident in progress rather than a vulnerability to schedule for the next maintenance window.

What the Catalog Cannot Fix

The KEV catalog excels at answering “what to patch first” but cannot solve the structural challenges behind vulnerability management. Many organizations lack the staff, tooling, or change management processes to patch critical systems within two weeks, let alone 48 hours. Legacy systems running end-of-life software cannot be patched at all.

The catalog also addresses only known, disclosed vulnerabilities. The 46% increase in zero-day exploitation means a growing share of attacks leverage vulnerabilities that have no CVE, no patch, and no KEV listing when the attack begins. The catalog is a necessary component of modern vulnerability management, but it is not sufficient on its own.

What the KEV catalog has accomplished is more fundamental: it has shifted the conversation from “how severe could this be in theory” to “is this being exploited right now.” That reframing, simple as it sounds, has made vulnerability management more rational, more urgent, and more effective for every organization willing to listen.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What is the CISA KEV catalog and who must follow it?

The Known Exploited Vulnerabilities (KEV) catalog is a publicly maintained list of software vulnerabilities confirmed to be under active exploitation. Under Binding Operational Directive 22-01, US federal civilian agencies must patch KEV-listed vulnerabilities within 14 days. While private organizations have no legal mandate, many adopt KEV prioritization voluntarily because it focuses patching on confirmed threats rather than theoretical risk scores.

How fast are attackers exploiting new vulnerabilities compared to defenders patching them?

The gap is severe. In the first half of 2025, 32.1% of newly exploited CVEs were weaponized on or before public disclosure day, and zero-day exploitation surged 46%. Meanwhile, the median time for organizations to close half their internet-facing vulnerabilities is 361 days, with healthcare averaging 519 days and education 577 days. This creates a structural advantage for attackers.

How can organizations outside the US benefit from the CISA KEV catalog?

The catalog is freely accessible at cisa.gov and applies to all software, not just US-specific systems. Any organization can integrate KEV status into their vulnerability scanner to automatically escalate confirmed exploited vulnerabilities. Organizations using KEV-based prioritization remediate flagged vulnerabilities 3.5x faster than those using traditional CVSS scoring alone, making it the most cost-effective improvement available to any security team.

Sources & Further Reading