CISA Known Exploitable Vulnerabilities
The CISA Known Exploitable Vulnerabilities (KEV) catalog, maintained by the Cybersecurity and Infrastructure Security Agency (CISA), lists vulnerabilities that are actively exploited in the wild. Qualys VMDR incorporates this catalog to help organizations identify and prioritize these high-risk vulnerabilities within their environments.
CISA KEV (Known Exploited Vulnerabilities) Due Dates
CISA KEV (Known Exploited Vulnerabilities) due dates are specific deadlines for Federal Civilian Executive Branch (FCEB) agencies to remediate vulnerabilities listed in the KEV catalog. While BOD 22-01 applies specifically to FCEB agencies, CISA strongly encourages all organizations to use the KEV catalog to prioritize remediation and improve their security posture. Each vulnerability in the KEV catalog has a designated due date.
CISA recommends that all organizations, including those in the private sector, prioritize the remediation of KEV vulnerabilities as part of their vulnerability management plans.
Each vulnerability in the KEV catalog has a specific due date and a deadline for remediated. As per CISA, all federal customers must comply with the timelines at the CVE level. The CISA Known Exploited Vulnerabilities (KEV) catalog assigns a "Due Date" for each listed vulnerability. This is the deadline by which organizations—especially U.S. federal agencies—must apply mitigations or discontinue the use of affected products if mitigations are unavailable.
For example, vulnerabilities added on April 17, 2025, have a due date of May 8, 2025, meaning remediation actions must be completed by that date. This due date is set to ensure timely risk reduction and to protect networks against active threats. The specific due date for each vulnerability can be found in the KEV catalog entry, typically about three weeks after the vulnerability is added.
Using cisaKEVDueDate Search Token
Here are a few examples of how to use the vulnerabilities.riskFactor.cisaKEVDueDate Search Token.
CISA KEV Past Due
The following table lists examples of finding vulnerabilities whose CISA KEV due date has already passed:
| Search Token Usage | Description |
vulnerabilities.riskFactor |
Find vulnerabilities whose CISA KEV due date has already passed by more than 60 days. For example: If today's date is April 28, 2025, the query will return vulnerabilities with a CISA KEV due date before February 27, 2025, meaning those vulnerabilities should have already been patched and are now 60+ days overdue. |
vulnerabilities.riskFactor |
If the due date is more than 12 months old or 18 months old, find vulnerabilities that are overdue for patching based on the CISA KEV list. For example: If today's date is April 28, 2025, the query will return vulnerabilities with CISA KEV due dates of: Before April 28, 2024 (for the now-12M condition) Before October 28, 2023 (for the now-18M condition) |
vulnerabilities.riskFactor |
Find vulnerabilities that have a CISA KEV due date that is more than two years overdue. For example: If today's date is April 28, 2025, the query will return vulnerabilities with a CISA KEV due date before April 28, 2023. |
vulnerabilities.riskFactor |
Find vulnerabilities that have missed their patch deadline according to the CISA KEV catalog. For example: If today's date is April 28, 2025, the query will return all vulnerabilities whose CISA KEV due date is before April 28, 2025. |
vulnerabilities.riskFactor |
Find vulnerabilities whose CISA KEV due date is before January 1, 2025. If today's date is April 28, 2025, the query will return vulnerabilities with CISA KEV due dates before January 1, 2025. |
CISA KEV Upcoming Expiring
The following table lists examples of finding vulnerabilities whose CISA KEV due date is expiring soon:
| Search Token Usage | Description |
vulnerabilities.riskFactor. |
Find vulnerabilities whose CISA KEV due date falls with in the next seven days from today to a week from now. For example: If today's date is April 28, 2025, the query will return vulnerabilities with a CISA KEV due date between today (April 28, 2025) and May 05, 2025. This means these vulnerabilities are due for patching within the next seven days. |
vulnerabilities.riskFactor. |
Find vulnerabilities whose CISA KEV due date falls with in the next fifteen days from today to two weeks from now. For example: If today's date is April 28, 2025, the query will return vulnerabilities with a CISA KEV due date between today (April 28, 2025) and May 13, 2025. This means these vulnerabilities are due for patching within the next fifteen days. |
CISA KEV Widgets
The CISA KEV Widgets displays the number of CISA Known Exploited Vulnerability (KEV) detected out of the total number of detections. See, Vulnerability Widgets in Qualys Insights and Example: View the list of QIDs with CISA KEV sections in Qualys Insights.
You can also view the CISA Known Exploitable in the Top Risk Factors of the TruRisk Score. See, View Asset Details section in Asset Details.
Leverage Search Tokens for Custom Queries
You can also use Search Tokens to create custom queries that filter vulnerabilities based on CISA KEV status, or date aiding in targeted remediation efforts.
To learn how to use these tokens, see here.
| Search Tokens | Description |
vulnerabilities.vulnerability |
The CISA KEV catalog includes the vulnerability, indicating that it is currently being actively exploited. |
vulnerabilities.riskFactor. |
The due date set by CISA by which the vulnerability must be patched. |
vulnerabilities.riskFactor. |
There are known exploits for this vulnerability (even if it's not on KEV). |
Additional Resources
- Qualys Blog: Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
- Learn more: Known Exploited Vulnerabilities Catalog