CISA KEV in 2025: What the Five-Day Exploitation Window Means for Developers
CISA's Known Exploited Vulnerabilities catalog added 187 entries in the past 12 months. The median time from CVE disclosure to active exploitation has dropped to 5 days. Here's what that means for development teams.
The KEV Catalog Is the Ground Truth for Exploitation
CISA's Known Exploited Vulnerabilities (KEV) catalog is the closest thing the industry has to a confirmed exploitation signal. Unlike CVSS scores (which predict theoretical risk) or EPSS scores (which predict exploitation probability), KEV entries represent confirmed active exploitation observed by CISA and partner agencies.
As of May 2026, the catalog contains over 1,200 entries. 187 were added in the past 12 months. The velocity is increasing, and the composition is shifting in ways that directly affect development teams.
Exploitation Is Getting Faster
The median time between CVE disclosure and observed exploitation has dropped to approximately 5 days for KEV entries added in 2025-2026. For comparison, the same metric was 14 days in 2023 and 30+ days in 2021.
This compression means the traditional patch cycle (CVE published, patch released, change request filed, patch scheduled, patch applied) no longer fits within the exploitation window for actively exploited vulnerabilities.
Web Application Vulnerabilities Are Overrepresented
Analyzing KEV entries by CWE category reveals that web application vulnerabilities are disproportionately represented relative to their share of the overall CVE database:
| CWE Category | % of All CVEs | % of KEV Entries |
|---|---|---|
| CWE-79 (XSS) | 18% | 8% |
| CWE-89 (SQL Injection) | 7% | 12% |
| CWE-78 (Command Injection) | 3% | 11% |
| CWE-22 (Path Traversal) | 4% | 9% |
| CWE-287 (Improper Authentication) | 3% | 8% |
SQL injection and command injection appear in KEV at roughly 2-3x their base rate, because these CWEs provide reliable, remotely exploitable access. Exactly what attackers need for initial compromise.
The Supply Chain Entries
KEV increasingly includes supply chain vulnerabilities. The XZ Utils backdoor (CVE-2024-3094), MOVEit Transfer (CVE-2023-34362), and several Confluence and Atlassian server vulnerabilities represent supply chain compromises where the vulnerable code was a dependency or platform component, not the application itself.
For development teams, this means dependency monitoring is now an operational security requirement, not a compliance checkbox. A KEV entry for a transitive dependency is an active exploitation signal that demands same-day response.
BOD 22-01 and Federal Remediation Timelines
Binding Operational Directive 22-01 requires federal civilian agencies to remediate KEV entries within specific timelines (typically 14 days for internet-facing systems, 25 days for internal systems). Federal contractors and FedRAMP-authorized services are expected to match these timelines.
For development teams building government-facing products, a KEV entry affecting your dependency tree is not a "patch when convenient" item. It's a compliance clock that starts the day CISA adds the entry.
How Deva Addresses KEV Risk
Deva's vulnerability catalog tracks 27K CVEs including full KEV coverage. When a KEV entry matches a package in your dependency tree, the finding is flagged with KEV metadata: date added, known exploitation context, and CISA-specified remediation deadline.
The scanner runs locally, so KEV matching doesn't require network connectivity. The catalog is bundled with the scanner and updated with each release. For air-gapped environments, KEV coverage is available without connecting to CISA's API.
Deva Security Team
Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.
Related Articles
Mini Shai-Hulud: The TanStack Supply Chain Attack That Hit OpenAI, Mistral, and 160+ Packages
A self-propagating supply chain worm compromised TanStack npm packages through GitHub Actions cache poisoning. No credentials stolen, just OIDC tokens extracted from runner memory.
Read moreCisco SD-WAN Authentication Bypass: CVSS 10.0 and the Sixth Zero-Day of 2026
CVE-2026-20182 is a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller. CISA added it to KEV with a May 17 federal remediation deadline.
Read moreSalt Typhoon and the Telecom Backbone: Why Application-Layer Encryption Just Became Non-Negotiable
The Salt Typhoon intrusions into major US telecom carriers exposed lawful intercept systems and call metadata at unprecedented scale. The takeaway for software teams: assume the transport layer is hostile.
Read more