đĨ What is CISA KEV?
The Known Exploited Vulnerabilities (KEV) catalog is maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It lists vulnerabilities that are actively being exploited by attackers in the wild â not theoretical risks, but real attacks happening now.
đ What is BOD 22-01?
Binding Operational Directive 22-01 requires all U.S. federal agencies to remediate KEV vulnerabilities within the specified deadline. While private organizations aren't legally bound, security experts strongly recommend treating KEV as your highest patching priority.
â° What Does "Days Left" Mean?
This is the number of days until the CISA remediation deadline. Federal agencies must patch by this date. For private organizations, consider this your maximum acceptable timeframe â attackers are actively exploiting these vulnerabilities.
đ¨ Overdue = Past deadline. These vulnerabilities should have been patched already. Immediate action required.
đ What is EPSS?
The Exploit Prediction Scoring System (EPSS) estimates the probability (0-100%) that a vulnerability will be exploited in the next 30 days. Higher EPSS = more likely to be attacked soon.
EPSS > 70%
Critical - Very likely to be exploited
EPSS 40-70%
High - Significant risk
EPSS 10-40%
Medium - Moderate risk
EPSS < 10%
Lower - Still on KEV, patch soon
đ¯ Priority Ranking
CVEPulse ranks vulnerabilities by urgency using:
- Overdue status (highest priority)
- Days until deadline (fewer = more urgent)
- EPSS score (higher = more urgent)
- Recency (newly added = more urgent)
- Your watchlist (matching vendors prioritized)
đ Learn More
â CISA KEV Catalog
â BOD 22-01 Directive
â FIRST EPSS Documentation