performing-cve-prioritization-with-kev-catalog

# Performing CVE Prioritization with KEV Catalog

## Overview
The CISA Known Exploited Vulnerabilities (KEV) catalog, established through Binding Operational Directive (BOD) 22-01, is a living list of CVEs that have been actively exploited in the wild and carry significant risk. As of early 2026, the catalog contains over 1,484 entries, growing 20% in 2025 alone with 245 new additions. This skill covers integrating the KEV catalog into vulnerability prioritization workflows alongside EPSS (Exploit Prediction Scoring System) and CVSS to create a risk-based approach that prioritizes vulnerabilities with confirmed exploitation activity over theoretical severity alone.


## When to Use

- When conducting security assessments that involve performing cve prioritization with kev catalog
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing

## Prerequisites
- Access to vulnerability scan results (Qualys, Nessus, Rapid7, etc.)
- Familiarity with CVE identifiers and NVD
- Understanding of CVSS scoring (v3.1 and v4.0)
- API access to CISA KEV, EPSS, and NVD endpoints
- Python 3.8+ with requests and pandas libraries

## Core Concepts

### CISA KEV Catalog Structure
Each KEV entry contains:
- **CVE ID**: The CVE identifier (e.g., CVE-2024-3094)
- **Vendor/Project**: Affected vendor and product name
- **Vulnerability Name**: Short description of the vulnerability
- **Date Added**: When CISA added it to the catalog
- **Short Description**: Brief technical description
- **Required Action**: Recommended remediation action
- **Due Date**: Deadline for federal agencies (FCEB) to remediate
- **Known Ransomware Campaign Use**: Whether ransomware groups exploit it

### BOD 22-01 Remediation Timelines
| CVE Publication Date | Remediation Deadline |
|----------------------|---------------------|
| 2021 or later | 2 weeks from KEV listing |
| Before 2021 | 6 months from KEV listing |

### Multi-Factor Prioritization Model

| Factor | Weight | Data Source | Rationale |
|--------|--------|-------------|-----------|
| CISA KEV Listed | 30% | CISA KEV JSON feed | Confirmed active exploitation |
| EPSS Score | 25% | FIRST EPSS API | Predicted exploitation probability |
| CVSS Base Score | 20% | NVD API v2.0 | Intrinsic vulnerability severity |
| Asset Criticality | 15% | CMDB/Asset inventory | Business impact context |
| Network Exposure | 10% | Network architecture | Attack surface accessibility |

### KEV + EPSS Decision Matrix

| KEV Listed | EPSS > 0.5 | CVSS >= 9.0 | Priority | SLA |
|------------|-----------|-------------|----------|-----|
| Yes | Any | Any | P1-Emergency | 48 hours |
| No | Yes | Yes | P1-Emergency | 48 hours |
| No | Yes | No | P2-Critical | 7 days |
| No | No | Yes | P2-Critical | 7 days |
| No | No | No (>= 7.0) | P3-High | 14 days |
| No | No | No (>= 4.0) | P4-Medium | 30 days |
| No | No | No (< 4.0) | P5-Low | 90 days |

## Workflow

### Step 1: Fetch and Parse the KEV Catalog

```python
import requests
import json
from datetime import datetime

KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"

def fetch_kev_catalog():
    """Download and parse the CISA KEV catalog."""
    response = requests.get(KEV_URL, timeout=30)
    response.raise_for_status()
    data = response.json()

    catalog = {}
    for vuln in data.get("vulnerabilities", []):
        cve_id = vuln["cveID"]
        catalog[cve_id] = {
            "vendor": vuln.get("vendorProject", ""),
            "product": vuln.get("product", ""),
            "name": vuln.get("vulnerabilityName", ""),
            "date_added": vuln.get("dateAdded", ""),
            "description": vuln.get("shortDescription", ""),
            "action": vuln.get("requiredAction", ""),
            "due_date": vuln.get("dueDate", ""),
            "ransomware_use": vuln.get("knownRansomwareCampaignUse", "Unknown"),
        }

    print(f"[+] Loaded {len(catalog)} CVEs from CISA KEV catalog")
    print(f"    Catalog version: {data.get('catalogVersion', 'N/A')}")
    print(f"    Last updated: {data.get('dateReleased', 'N/A')}")
    return catalog

kev = fetch_kev_catalog()
```

### Step 2: Enrich with EPSS Scores

```python
EPSS_API = "https://api.first.org/data/v1/epss"

def get_epss_scores(cve_list):
    """Fetch EPSS scores for a batch of CVEs."""
    scores = {}
    batch_size = 100
    for i in range(0, len(cve_list), batch_size):
        batch = cve_list[i:i + batch_size]
        cve_param = ",".join(batch)
        response = requests.get(EPSS_API, params={"cve": cve_param}, timeout=30)
        if response.status_code == 200:
            for entry in response.json().get("data", []):
                scores[entry["cve"]] = {
                    "epss": float(entry.get("epss", 0)),
                    "percentile": float(entry.get("percentile", 0)),
                }
    return scores
```

### Step 3: Build the Prioritization Engine

```python
import pandas as pd

def prioritize_vulnerabilities(scan_results, kev_catalog, epss_scores):
    """Apply multi-factor prioritization to scan results."""
    prioritized = []

    for vuln in scan_results:
        cve_id = vuln.get("cve_id", "")
        cvss_score = float(vuln.get("cvss_score", 0))
        asset_criticality = float(vuln.get("asset_criticality", 3))
        exposure = float(vuln.get("network_exposure", 3))

        in_kev = cve_id in kev_catalog
        kev_data = kev_catalog.get(cve_id, {})
        epss_data = epss_scores.get(cve_id, {"epss": 0, "percentile": 0})
        epss_score = epss_data["epss"]

        # Composite risk score calculation
        risk_score = (
            (1.0 if in_kev else 0.0) * 10 * 0.30 +
            epss_score * 10 * 0.25 +
            cvss_score * 0.20 +
            (asset_criticality / 5.0) * 10 * 0.15 +
            (exposure / 5.0) * 10 * 0.10
        )

        # Assign priority level
        if in_kev or (epss_score > 0.5 and cvss_score >= 9.0):
            priority = "P1-Emergency"
            sla_days = 2
        elif epss_score > 0.5 or cvss_score >= 9.0:
            priority = "P2-Critical"
            sla_days = 7
        elif cvss_score >= 7.0:
            priority = "P3-High"
            sla_days = 14
        elif cvss_score >= 4.0:
            priority = "P4-Medium"
            sla_days = 30
        else:
            priority = "P5-Low"
            sla_days = 90

        prioritized.append({
            "cve_id": cve_id,
            "cvss_score": cvss_score,
            "epss_score": round(epss_score, 4),
            "epss_percentile": round(epss_data["percentile"], 4),
            "in_cisa_kev": in_kev,
            "ransomware_use": kev_data.get("ransomware_use", "N/A"),
            "kev_due_date": kev_data.get("due_date", "N/A"),
            "risk_score": round(risk_score, 2),
            "priority": priority,
            "sla_days": sla_days,
            "asset": vuln.get("asset", ""),
            "asset_criticality": asset_criticality,
        })

    df = pd.DataFrame(prioritized)
    df = df.sort_values("risk_score", ascending=False)
    return df
```

### Step 4: Generate Prioritization Report

```python
def generate_report(df, output_file="kev_prioritized_report.csv"):
    """Generate summary report from prioritized vulnerabilities."""
    print("\n" + "=" * 70)
    print("VULNERABILITY PRIORITIZATION REPORT - KEV + EPSS + CVSS")
    print("=" * 70)

    print(f"\nTotal vulnerabilities analyzed: {len(df)}")
    print(f"KEV-listed vulnerabilities:    {df['in_cisa_kev'].sum()}")
    print(f"Ransomware-associated:         {(df['ransomware_use'] == 'Known').sum()}")

    print("\nPriority Distribution:")
    print(df["priority"].value_counts().to_string())

    print("\nTop 15 Highest Risk Vulnerabilities:")
    top = df.head(15)[["cve_id", "cvss_score", "epss_score", "in_cisa_kev",
                        "risk_score", "priority"]]
    print(top.to_string(index=False))

    df.to_csv(output_file, index=False)
    print(f"\n[+] Full report saved to: {output_file}")
```

## Best Practices
1. Update the KEV catalog daily since CISA adds new entries multiple times per week
2. Always cross-reference KEV with EPSS; a CVE may have high EPSS but not yet be in KEV
3. Treat all KEV-listed CVEs as P1-Emergency regardless of CVSS score
4. Pay special attention to KEV entries flagged with "Known Ransomware Campaign Use"
5. Automate KEV comparison against your vulnerability scan results in CI/CD pipelines
6. Track KEV due dates separately for FCEB compliance requirements
7. Use KEV as a leading indicator for threat hunting; if a CVE is added, check for prior exploitation in your environment

## Common Pitfalls
- Relying solely on CVSS scores without checking KEV or EPSS data
- Not updating the KEV catalog frequently enough (CISA updates multiple times weekly)
- Treating non-KEV CVEs as safe; they may be exploited but not yet cataloged
- Ignoring the "ransomware use" field which indicates highest-urgency threats
- Using KEV only for compliance instead of integrating into overall risk management

## Related Skills
- prioritizing-vulnerabilities-with-cvss-scoring
- building-vulnerability-data-pipeline-with-api
- implementing-threat-intelligence-scoring
- implementing-vulnerability-remediation-sla