CISA has launched a new online nomination form to accelerate the reporting of actively exploited vulnerabilities directly into its Known Exploited Vulnerabilities (KEV) catalog. This initiative aims to cut down the time between a bug being exploited and its inclusion on CISA's critical list, directly addressing past critiques that the KEV catalog often acted as a "trailing indicator" of hacking activity.
What Happened
The Cybersecurity and Infrastructure Security Agency (CISA) launched a new web-based form to streamline submissions for vulnerabilities confirmed to be under active exploitation. This new mechanism complements CISA's existing email submission channel. The primary goal is to enhance CISA's ability to identify, validate, and rapidly disseminate crucial threat intelligence across various sectors, improving national cybersecurity posture.
Submitters using the form must provide comprehensive details, including the assigned CVE ID, confirmed evidence of active exploitation, and actionable mitigation guidance. The form also asks whether the vulnerability impacts multiple vendors or products, helping CISA gauge widespread damage. For a vulnerability to be included in the KEV catalog, it requires an assigned CVE, confirmed exploitation, and available remediation steps.
As of May 22, 2026, the KEV catalog lists approximately 1,600 vulnerabilities, according to CISA. In the two weeks prior to this date, CISA updated the catalog six times, adding seven new vulnerabilities on that specific Thursday, as reported by BleepingComputer. Chris Butera, CISA's Acting Executive Assistant Director for Cybersecurity, stated that this new capability enhances CISA's ability to identify, validate, and quickly share critical threat information, highlighting early detection and coordinated vulnerability disclosure as powerful tools for risk reduction.
Why It Matters
This enhanced reporting mechanism directly responds to past criticisms that the KEV catalog was slow to incorporate actively exploited vulnerabilities. By streamlining submissions, CISA intends to shorten the window between a vulnerability being actively exploited and its official recognition in the KEV catalog. This reduced latency allows organizations, particularly federal civilian executive branch (FCEB) agencies, to prioritize patching and mitigate threats before widespread damage occurs.
The KEV catalog is more than just a list; it is a mandate. Established in November 2021 under Binding Operational Directive (BOD) 22-01, it requires FCEB agencies to remediate listed vulnerabilities by specific due dates. Speeding up KEV inclusion means FCEB agencies get earlier, official notice to patch. If a bug is exploited on Monday, and it takes weeks to hit the KEV, federal teams are on the clock for weeks without a formal directive. If it hits the KEV within days, that clock starts much sooner. This shift translates directly to faster, more proactive vulnerability management across the federal government and provides guidance for critical infrastructure and private sector organizations. Security teams can use tools like CrowdStrike Falcon to monitor for signs of exploitation, providing telemetry that could feed into such a reporting process.
Technical Breakdown
The KEV catalog identifies vulnerabilities that are actively weaponized. This new form targets a common initial access vector: T1190 Exploit Public-Facing Application. When attackers exploit a flaw in an internet-facing service, like a web server or VPN, the new CISA form offers a quicker path to get that information to the right channels.
Think of it this way: when an attacker exploits a secret tunnel into your organization's firewall, this new CISA form is like giving a trusted security guard at the gate a direct, secure line to the city's emergency response team. This allows them to report the exact location and nature of the tunnel instantly, reducing the time it takes for city officials to issue an alert to all fortresses to check for similar tunnels.
The goal aligns with NIST SP 800-53 control SI-2 Flaw Remediation. This control emphasizes the timely identification, reporting, and correction of information system flaws. By accelerating the reporting, CISA enables organizations to execute the "remediation" part of this control more effectively. The data requested by the form—CVE ID, evidence of exploitation, mitigation guidance, and multi-vendor impact—provides exactly what CISA needs to validate and publicize the threat, helping organizations to patch before they become a statistic.
Historical Context
Quickly identifying and cataloging actively exploited vulnerabilities has always been a challenge. The Log4Shell vulnerability (CVE-2021-44228), disclosed in December 2021, exemplifies this. This severe remote code execution flaw in Apache Log4j, a widely used logging library, saw immediate and widespread exploitation. At the time, the KEV catalog had just been established the month prior, and the scale and speed of Log4j exploitation put immense pressure on vulnerability management processes.
While CISA quickly added Log4Shell to the KEV catalog and issued urgent directives, the incident showed the need for faster intelligence sharing. The initial scramble to identify affected systems and apply patches globally demonstrated how quickly threat actors could weaponize a critical vulnerability. The new KEV form, with its emphasis on rapid submission and validation, directly addresses the lessons learned from Log4Shell-like events. Prior to the KEV catalog and BOD 22-01, the process for federal agencies to track and mandatorily patch such vulnerabilities was less centralized and often slower, lacking the authoritative list that KEV now provides. The difference is the formal, mandated due dates tied to KEV inclusion.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Total KEV Catalog Vulnerabilities | ~1,600 | CISA |
| KEV Catalog Updates (Past 2 Weeks) | 6 times | BleepingComputer |
| New KEVs Added (Specific Thursday) | 7 vulnerabilities | BleepingComputer |
| KEV Catalog Establishment Date | November 2021 | CISA |
| BOD 22-01 Mandate for FCEB Agencies | Remediation by due dates | CISA |
Our Take
We've seen how critical time-to-patch is, especially with zero-days or widely exploited N-days. The KEV catalog is already a major improvement over pre-2021 federal vulnerability management. This new form is a practical step to improve intelligence flow. It won't solve everything, but giving security researchers and incident responders a direct channel to push confirmed exploitation data means less time waiting for official channels to catch up. The faster CISA can validate and publish, the faster our patching cycles can kick in. This is a pragmatic move that acknowledges the distributed nature of threat intelligence.
The CVEDaily Take
This CISA form is a smart move that recognizes the KEV catalog's past shortcomings. It directly tackles the "trailing indicator" problem by empowering the community to contribute to national security proactively. We think this could significantly cut down on the time it takes for a newly discovered, actively exploited vulnerability to reach federal mandate status. How is your team integrating external CISA alerts like the KEV catalog into your internal patching prioritization processes?
FAQ
Q: What is the primary goal of CISA's new KEV reporting form?
A: The form aims to significantly shorten the time between a vulnerability being actively exploited and its inclusion in CISA's KEV catalog, enabling faster patching and risk mitigation.
Q: What information is required to submit a vulnerability via the new form?
A: Submitters must provide the CVE number, concrete evidence of active exploitation, and available mitigation guidance. They also indicate if the vulnerability affects multiple vendors or products.
Q: How does the KEV catalog impact federal civilian executive branch (FCEB) agencies?
A: FCEB agencies are mandated by CISA's Binding Operational Directive (BOD) 22-01 to remediate all vulnerabilities listed in the KEV catalog by specific due dates.
