The KEV catalogue — short for Known Exploited Vulnerabilities — is a public list run by the US cyber agency CISA. It only includes software flaws that are confirmed to be used in real attacks, not just ones that could theoretically be exploited someday. It’s in the news twice over: a new US directive now uses the KEV list to trigger 72-hour patch deadlines for government agencies, as reported by BleepingComputer, and a SolarWinds Serv-U flaw was just added to the list after evidence of active exploitation, as reported by The Hacker News.

Why it matters right now

Tens of thousands of software vulnerabilities get reported every year, and most are never used in a real attack. Think of it as the difference between a list of every pothole in the country and a list of the roads where cars are actually crashing. The KEV catalogue is the second list — and that makes it the patching to-do list that actually matters.

What it means for your business

The catalogue is free and public, and good IT providers already use it. The practical question to ask yours: do you prioritise patching based on what’s actively being exploited, or just on severity scores? A “critical” flaw nobody is using can matter less than a “high” one that’s feeding ransomware attacks this week.

It’s the approach we take with our own clients — risk-based patching is built into our managed cybersecurity services.