FAQ

The KEV (Known Exploited Vulnerabilities) list published by CISA identifies vulnerabilities that are actively exploited in the wild, meaning they are already being used in real-world cyberattacks. The purpose of this list is to help organizations prioritize their remediation efforts by focusing on the flaws that present an immediate threat.

By publishing this list, CISA provides a very practical risk management tool: it highlights not only known flaws, but also the most critical and urgent ones. For U.S. federal agencies, remediation of these flaws is mandatory within strict deadlines. Beyond the U.S., the KEV list is widely consulted by cybersecurity professionals worldwide to guide their patch management strategies.

A CVE is simply a public declaration that a flaw exists in a given product, whereas an exploited vulnerability means that an attacker is actively using that flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions—some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE—this is known as a zero-day. To assess the real danger of a CVE, one should consult additional information such as CISA’s KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly on our CVEFind website.

No, the existence of a CVE does not guarantee that a fix is available. A CVE may be published before a vendor has developed a fix, or even in cases where no fix is planned (e.g., for obsolete or unsupported software). In such situations, users must implement workarounds or disable certain vulnerable features.

It is therefore essential not to rely solely on CVEs, but also to check vendor advisories and databases like the NVD or the KEV list, which may indicate whether a patch exists and when it is expected. Good risk management takes into account both the severity of the flaw and the availability of solutions.