What the KEV Catalogue Is
CISA's Known Exploited Vulnerabilities (KEV) catalogue is a list of CVEs that have confirmed evidence of active exploitation in the wild. Not theoretical exploitation. Not proof-of-concept code on GitHub. Actual, observed attacks.
That distinction matters. The standard advisory pipeline produces thousands of ICS CVEs a year, most of which carry a severity score but no evidence that anyone has ever weaponised them. The KEV catalogue is a much shorter list of vulnerabilities where the threat is no longer hypothetical — someone has used these against real targets.
As of mid-2026 the catalogue contains several hundred entries spanning a wide range of software and hardware, including a meaningful number of ICS and OT-related entries. Siemens, Schneider Electric, Rockwell Automation, and Mitsubishi Electric products have all appeared in the KEV at various points. These aren't just obscure legacy systems — some involve widely-deployed PLCs, HMIs, and industrial networking equipment.
How ICS Vulnerabilities End Up in KEV
CISA adds a CVE to the KEV when there is reliable evidence of exploitation. That evidence typically comes from government threat intelligence, incident reports, or trusted partner reporting. It doesn't require a public disclosure of a specific incident — CISA may be tracking exploitation that hasn't hit the news.
For ICS-specific entries, this often means one of a few scenarios: a threat actor is scanning for and exploiting a known vulnerability opportunistically (common with remotely accessible HMIs and remote access software); a more targeted campaign is going after industrial systems in a specific sector; or a vulnerability has been incorporated into malware or exploit toolkits used against OT environments.
The Cybersecurity Advisory pipeline (ICS-CERT advisories, published at cisa.gov/ics) covers the broader set of disclosed vulnerabilities. KEV is the subset where you can't treat the risk as theoretical anymore.
Why KEV Entries Deserve Different Treatment
Most ICS advisory workflows treat CVE severity (the CVSS score) as the primary triage signal. CVSS has real limitations in OT contexts — a vulnerability scored 9.8 because it's remotely exploitable and unauthenticated may still have near-zero real-world risk if the affected device is on an isolated network with no external access. Conversely, a moderate CVSS score doesn't tell you whether that CVE is being actively used against your industry.
KEV entries shift the calculus. When a vulnerability is in the KEV catalogue, you know the threat model isn't hypothetical. That changes the urgency — even if you can't patch immediately (and in OT, you often can't), you need to understand your exposure and put compensating controls in place.
For federal civilian agencies in the US, the stakes are explicit: CISA's Binding Operational Directive 22-01 requires federal agencies to remediate KEV entries within defined deadlines (typically 2-3 weeks, sometimes shorter). NERC CIP has its own patch management timelines for bulk electric system assets. For everyone outside those frameworks, the KEV isn't a regulatory mandate — but treating it as a higher-priority triage category is straightforward good practice.
What to Actually Do When You Have a KEV Match
If a vulnerability in the KEV matches something on your watchlist — a vendor you use, a product you've deployed — the process should be:
1. Check whether the specific version you're running is affected (vendor advisories usually list affected firmware/software versions)
2. Check whether the affected component is network-accessible, and if so, from where
3. If accessible, implement or verify network-level mitigations immediately — firewall rules, disabling unused services, isolating the affected device — while you work through the patching process
4. Document your assessment and what you've done, with dates
The patching process in OT takes time. That's reality. The compensating controls step is not optional while you're waiting for a maintenance window.
How OTWarden Handles KEV
OTWarden monitors the CISA KEV catalogue alongside standard ICS advisories and vendor feeds. When an advisory on your watchlist has a CVE that's been added to the KEV, that's flagged in the alert — so you can see at a glance whether you're dealing with a disclosed vulnerability or one with confirmed exploitation.
EPSS scores (Exploit Prediction Scoring System) are also included in OTWarden alerts. EPSS estimates the probability that a CVE will be exploited in the next 30 days based on a range of signals. Used alongside KEV status, it gives a more complete picture of actual risk than CVSS alone.
The goal isn't to generate more alerts — it's to make sure the ones that genuinely need immediate attention are clearly distinguishable from the ones that can go into the normal patch cycle.
Start free trial — 14 days, no card required.