With more than 1,000 vulnerabilities currently on the list, the Known Exploited Vulnerabilities (KEV) Catalog managed by the US cybersecurity organization CISA has significantly improved government agencies’ patching efforts. The KEV Catalog, which was introduced in November 2021, is followed by the Binding Operational Directive (BOD) 22-01, which mandates that federal agencies patch newly discovered problems within a predetermined timeframe. CISA has confirmation that these holes are being used in hostile attacks.
According to CISA, over 12 million KEV entry patches have been applied by government agencies since November 2021, with 7 million of those patches being applied in 2023 alone. Local governments and critical infrastructure institutions have seen an overall 72% decline in KEVs exposed for 45 days or more compared to federal agencies.