Using the CISA KEV Catalog for PKI and ADCS Patch Prioritization
The CISA Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilities that have been confirmed as actively exploited in the wild. For federal agencies, patching KEV entries within the specified due dates is mandatory under BOD 22-01. For private sector organizations, the KEV catalog is the most authoritative signal for patch prioritization. This article covers how to use it effectively for PKI and ADCS environments.
What the CISA KEV Catalog Is
The CISA Known Exploited Vulnerabilities catalog is a curated list of CVEs that CISA has confirmed are being actively exploited in the wild. Each entry includes the CVE ID, vendor, product, vulnerability name, a short description, the date added to the catalog, and a remediation due date.
The catalog is updated continuously — CISA adds new entries as exploitation is confirmed. It is publicly available at cisa.gov/known-exploited-vulnerabilities-catalog and can be downloaded as a JSON or CSV file for integration into vulnerability management tools.
Filtering for PKI and ADCS Relevance
The KEV catalog covers all technology categories. To filter for PKI and ADCS-relevant entries, search for:
- Vendor: Microsoft — then filter by product for "Active Directory", "Windows LDAP", "Windows Kerberos", "CryptoAPI", "Certificate Services"
- Keywords in the vulnerability name: "certificate", "LDAP", "Kerberos", "NTLM", "Active Directory", "PKI"
- CVEs referenced in CISA advisories covering identity and PKI infrastructure (AA series advisories)
Remediation Due Dates
For federal civilian executive branch (FCEB) agencies, patching KEV entries by the specified due date is mandatory under CISA Binding Operational Directive 22-01. Due dates are typically 2–3 weeks from the date added.
For private sector organizations, the due dates are not legally binding but serve as a strong signal for prioritization. A KEV entry with a 2-week due date indicates CISA believes the exploitation risk is high enough to require rapid response.
Building a KEV-Driven Patch Workflow
Integrate the CISA KEV catalog into your vulnerability management workflow:
- Subscribe to CISA KEV updates via the JSON feed or RSS — add new entries to your vulnerability tracking system automatically.
- Tag KEV entries in your vulnerability management tool for priority treatment.
- For PKI and ADCS environments, treat any KEV entry affecting Microsoft identity infrastructure as Critical regardless of CVSS score.
- Track KEV remediation separately from standard patch cycles — KEV entries should be remediated within the CISA due date window even if your standard patch cycle is longer.
The CISA KEV catalog removes ambiguity from patch prioritization. A CVE in the KEV catalog has confirmed active exploitation — it is not theoretical. For PKI and ADCS environments, where a single exploited vulnerability can lead to full domain compromise, KEV entries should trigger immediate response.
- 1Bookmark the CISA KEV catalog and check it weekly: cisa.gov/known-exploited-vulnerabilities-catalog
- 2Download the KEV JSON feed and integrate it into your vulnerability management tool.
- 3Create a saved filter for Microsoft identity infrastructure CVEs in your vulnerability management tool.
- 4Establish a KEV-specific SLA: patch KEV entries within the CISA due date window.
- 5Review the KEV catalog for any entries affecting your current environment that have not been remediated.
The CISA KEV catalog is the single most useful public resource for patch prioritization. If a CVE is in the KEV catalog, it is being exploited right now. For PKI and ADCS environments, that means immediate action — not next patch cycle.
InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.