The KEV Is a Confession, Read It That Way
Every entry in the CISA Known Exploited Vulnerabilities catalog is a confirmed statement: this is being used against real targets right now. It is the cleanest prioritization signal a defender gets for free. And yet most teams treat it as a newsletter instead of a work queue. Here is how an operator reads it.
Triage Math, Not Vibes
You will always have more flagged CVEs than capacity. So you score, and you sequence. A workable model:
KEVScore = (Exploited × 10) # KEV entry = automatic floor of 10
+ (InternetReachable × 4) # attacker can touch it without a foothold
+ (AssetCriticality × 3) # DC, identity provider, OT gateway
+ (CVSS × 0.5) # severity as a tiebreaker, not the driver
- (Mitigated × 8) # compensating control already in place
Notice what dominates: exploited in the wild and internet-reachable. A CVSS 10 with no public exploit loses to a CVSS 7 that attackers are spraying today. The KEV is what tells you which is which.
For anything internet-facing, your patch window is not the federal three weeks. Mass scanning for a fresh KEV entry begins within a day; weaponized exploits hit commodity kits within seventy-two hours. Treat external exposure as a 72-hour clock.
The Pivot That Should Keep You Up at Night
The pattern in the June additions is the same one I have watched mature for years: the IT-to-OT pivot. Operational technology was supposed to be air-gapped. It isn't, and attackers know the chokepoint.
Internet-facing CVE (VPN / web app)
│
▼
IT network (Windows, AD, file shares)
│
▼
Engineering workstation ← the real target
(PLC / HMI / SCADA programming software installed)
│
▼
OT network → physical process
The engineering workstation is the seam. It speaks both networks. It is frequently the worst-patched machine in the building because "you can't take it down." That sentence is exactly why it gets owned. If you run OT, that box is your crown jewel and your weakest link simultaneously. Inventory it, segment it, and monitor it like it is already compromised.
When You Cannot Patch in Time
OT firmware updates can take months and a maintenance window you do not have. KEV exposure does not wait for your change-control calendar. So you compensate:
- Isolate. Move the asset behind strict ingress/egress rules; default-deny everything that is not an operational necessity.
- Allowlist execution on the engineering workstation. Application control turns a delivered payload into a non-event.
- Diode the data flows. Unidirectional gateways for historian-to-IT traffic remove a whole class of inbound risk.
- Instrument it. If you can't patch it, you had better see every packet that touches it.
Run the Burn-Down as a Program, Not a Panic
A KEV response is governance, not heroics. Inventory precisely — you cannot remediate what you cannot see. For IT, active discovery is fine; for OT, use passive discovery so you do not knock a PLC offline by scanning it. Cross your inventory against the catalog, sequence by KEVScore, and report compliance weekly until KEV debt is under five percent of your estate.
import requests
kev = requests.get(
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
).json()
kev_ids = {v["cveID"] for v in kev["vulnerabilities"]}
exposed = [c for c in load_inventory_cves() if c in kev_ids]
print(f"KEV-confirmed and present in our estate: {len(exposed)}")
The Discipline
The KEV rewards the boring virtues: an accurate asset inventory, honest exposure scoring, segmentation that actually limits blast radius, and the institutional willpower to patch internet-facing systems in hours rather than weeks. None of it is clever. All of it is hard. The attackers are counting on you finding it too hard.