We pulled every entry in the CISA Known Exploited Vulnerabilities catalog from its launch on November 3, 2021 through June 5, 2026, enriched all 1,612 records against the NIST National Vulnerability Database (NVD CVE API 2.0, 100% coverage), and went looking for structure.
The KEV catalog is the closest thing the industry has to ground truth on exploitation. Inclusion is not theoretical: CISA adds a CVE only after confirming active exploitation in the wild. So this is not a list of what could be attacked. It is a list of what is being attacked, curated over four and a half years.
That distinction is the whole point of this analysis. A CVE is a disclosure: a record that a flaw exists somewhere in the world. A KEV is a decision: proof that an attacker looked at that flaw, judged it worth operationalizing, and used it against a real target. The 200,630 CVEs published since 2021 describe the universe of what is theoretically attackable. The 1,612 KEVs describe what adversaries actually selected from that universe. One is a vulnerability inventory. The other is behavioral telemetry on the adversary.
This is why the two lists demand different treatment. You patch CVEs because you have to manage the inventory. You study KEVs because they tell you what the people trying to get in are actually doing. A KEV is a weaponized CVE, and weaponization is a choice. Every entry in the catalog is a choice an attacker made, recorded after the fact, and the aggregate of 1,612 choices is a remarkably clear picture of adversary preference. The rest of this analysis reads that picture out of the data.
What follows is a full breakdown of that dataset: the funnel that filters 200,630 published CVEs down to 1,612, the attack-surface profile of what survives the filter, time-to-exploitation trends, ransomware linkage, vendor and technology targeting, and the vulnerability classes that dominate. The headline is simple and it is the dominant pattern across nearly every cut of the data: the catalog does not select for clever. It selects for reachable.
Methodology and Caveats
Read this before citing any figure below. The dataset is clean, but several fields carry definitional weight that changes how you should interpret them.
Time to Exploitation (TTE) is defined here as days from the NVD published date to the CISA date_added date. It measures the window between public CVE disclosure and CISA's confirmation of active exploitation. It is not the date of first exploitation in the wild. Real-world exploitation frequently predates KEV addition, so treat TTE as a conservative upper bound on attacker speed, not a precise measurement of it.
The 2022 backfill anomaly distorts every catalog-wide time metric. CISA launched KEV in November 2021 and spent 2022 cataloging years of historical exploited vulnerabilities. The 555 CVEs added in 2022 include bugs disclosed as far back as 2010, which pushes 2022's median TTE to 1,484 days and drags the catalog-wide median to 365 days. Neither number reflects current attacker behavior. Modern data (2023 through 2026) shows a median TTE between 15 and 44 days. When you see a multi-year median anywhere in this analysis, the backfill is the reason, and the per-year table is the corrective.
Zero-day classification here means tte_days < 0: CISA confirmed exploitation before NVD published the CVE. This is not identical to "discovered as a zero-day." Some of these had vendor advisories out before NVD publication, so the label captures pre-disclosure exploitation relative to NVD, not a strict zero-day-in-the-wild definition.
CVSS scoring uses the best available version per CVE, preferring v3.1 over v3.0 over v4.0 over v2.0. All 1,612 records carry a score.
CWE coverage is partial. 1,236 of 1,612 records (76.7%) have a mapped CWE category. The 376 records without one are typically older CVEs. Vulnerability-class percentages in Section 7 are calculated against the 1,236 with mappings, not the full catalog.
Ransomware linkage derives from CISA's knownRansomwareCampaignUse field and likely undercounts. Vendor comes from CISA's vendorProject field rather than NVD's CPE vendor, so grouping reflects CISA's conventions. 2026 is a partial year through June 5, so any year-over-year comparison involving 2026 should account for roughly five months of data. That partial year still shows 30,624 published CVEs, which annualizes well above 2025's 49,972. That reflects continued growth in CNA volume and NVD backlog processing, not a data error, but it does mean 2026 ratios should be read loosely.
Right-censoring affects every recent-year metric. A vulnerability can only enter this dataset after it is both exploited and cataloged, and both steps take time. So the most recent cohorts are systematically incomplete: bugs that are exploited slowly, or whose exploitation is confirmed late, have not shown up yet. This biases recent-year time-to-exploitation downward (only the fast exploitations have surfaced), and it suppresses recent-year zero-day and ransomware counts (those tags get applied after the fact). Where a recent-year figure is likely a censoring artifact rather than a real trend, the relevant section says so. Treat 2025 and 2026 numbers as provisional and expect them to drift upward as the catalog matures.
The per-year weaponization figure is a crude ratio, not a true cohort rate. In Section 3, KEVs are counted by the year CISA added them, while CVE totals are counted by the year NVD published them. Those are different date bases: a KEV added in 2024 is frequently a CVE published years earlier (the mean time-to-exploitation of 440 to 722 days confirms this). A proper weaponization rate would cohort both sides by CVE publication year. The aggregate 0.803% is sound because both sides span the same window, but the per-year column should be read as "KEV additions relative to that year's CVE output," not "share of that year's CVEs that were ever weaponized."
The Funnel: Less Than 1% of CVEs Get Weaponized
Start with scale. Across 2021 through 2026, NVD published 200,630 CVEs. 1,612 of them made the KEV catalog. That is an aggregate weaponization rate of 0.803%.
Year | Total CVEs (NVD) | KEVs Added | KEV-to-CVE Ratio |
2021 | 21,950 | 311 | 1.417% |
2022 | 26,431 | 555 | 2.100% |
2023 | 30,949 | 187 | 0.604% |
2024 | 40,704 | 186 | 0.457% |
2025 | 49,972 | 245 | 0.490% |
2026 (partial) | 30,624 | 128 | 0.418% |
Total | 200,630 | 1,612 | 0.803% |
A caveat before reading the per-year column: it divides KEVs by the year they were added against CVEs by the year they were published, which are different date bases (see Methodology). Treat each row as a rough annual ratio, not as "the share of that year's CVEs that were weaponized." The aggregate 0.803% is the reliable figure. The 2022 row of 2.1% is further inflated by the historical backfill. With that set aside, the mature cohorts (2021 through 2023) sit near or below 1%.
Resist reading the apparent decline in the recent rows as a real trend. It is mostly right-censoring: CVEs published in 2024 and 2025 will keep getting added to the KEV catalog for years, since the mean time from disclosure to exploitation runs well over a year. The 2024 and 2025 ratios are floors, not final values, and they will rise as those CVE cohorts mature. What the table does support is the scale point: across the full window, for every 1,000 CVEs the industry discloses, attackers operationalize on the order of eight, and the KEV catalog is the heavily filtered selection that results. It is not a random sample of the CVE firehose. It is a selection, and the entity doing the selecting is the adversary. The rest of this analysis is about what they look for when they pick.
What Attackers Select For: Reachable, Unauthenticated Targets
Here is what they pick. The catalog skews hard toward vulnerabilities that are network-reachable and require nothing from the target environment.
Attribute | Count | % of Catalog |
Network-accessible (AV:NETWORK) | 1,174 | 72.8% |
Adjacent vector (AV:ADJACENT) | 25 | 1.6% |
Local vector (AV:LOCAL) | 409 | 25.4% |
Remotely exploitable | 1,199 | 74.4% |
No authentication required | 1,150 | 71.3% |
Low attack complexity | 1,513 | 93.9% |
No user interaction required | 1,178 | 73.1% |
No-auth + network-accessible | 977 | 60.6% |
Critical or High CVSS | 1,429 | 88.6% |
Read those rows together and a profile emerges. Nearly three-quarters carry a CVSS Attack Vector of NETWORK (72.8%); the slightly higher "remotely exploitable" figure of 74.4% folds in the 25 ADJACENT-vector bugs that are reachable from a neighboring network segment. 60.6% are network-reachable and require no privileges (Privileges Required of NONE in CVSS v3, what older v2 records scored as no authentication), meaning any host that can route to the target can attempt the exploit. 73.1% need no user interaction (User Interaction of NONE): no one has to click anything. And 93.9% are low-complexity (Attack Complexity of LOW): no special conditions, no race windows to win, no exotic preconditions. Point and shoot.
Now intersect the worst attributes. Combine network-accessible, no authentication, no user interaction, and low complexity into a single worst-case attacker profile:
Worst-Case Profile (4-field intersection) | Value |
KEVs matching all four conditions | 670 |
% of total catalog | 41.6% |
Four in ten actively exploited vulnerabilities can be triggered remotely, without credentials, without a user clicking anything, with low complexity. No phishing. No insider. No clever chain. A reachable target that answers is the entire precondition.
That is the attacker economics the funnel reflects. Out of 200,630 disclosed CVEs, the ones that get operationalized are disproportionately the ones that require the least from the attacker and the least cooperation from the victim. The filter is not selecting for technical sophistication. It is selecting for the path of least resistance.
Severity Distribution: The Catalog Lives at the Top of the Scale
Severity | Count | % | Score Range |
Critical | 555 | 34.4% | ≥ 9.0 |
High | 874 | 54.2% | 7.0–8.9 |
Medium | 179 | 11.1% | 4.0–6.9 |
Low | 4 | 0.2% | < 4.0 |
Critical + High | 1,429 | 88.6% | ≥ 7.0 |
Mean CVSS across the catalog is 8.38. Median is 8.80. 88.6% of exploited vulnerabilities are rated Critical or High. This tracks with the attack-surface data: the attributes that make a bug worth weaponizing (network reach, no auth, low complexity) are the same attributes that push CVSS base scores up. Severity and exploitability are not independent variables here. They are two views of the same underlying property.
The practical takeaway for triage is the reverse of how most programs read it. Because severity here is largely a restatement of reachability, a high CVSS score is not the independent signal it looks like. The variable carrying the real information is the one underneath it: is the vulnerable service network-reachable and unauthenticated. Prioritize on that, and the severity falls out of it. Prioritize on CVSS alone, and you are weighting a number that is mostly measuring reachability anyway, while treating the cause as if it were a separate input.
Time to Exploitation: The Modern Window Is Weeks, Not Years
This is the section where the 2022 backfill matters most. The catalog-wide median TTE of 365 days is an artifact. The per-year breakdown is the real story.
Year | KEVs | Median TTE | Mean TTE | Notes |
2021 | 311 | 468 days | 600 days | First two months of program |
2022 | 555 | 1,484 days | 1,723 days | Backfill year, historical exploits |
2023 | 187 | 15 days | 440 days | Modern baseline |
2024 | 186 | 35 days | 475 days | Modern baseline |
2025 | 245 | 30 days | 513 days | Modern baseline |
2026 (partial) | 128 | 44 days | 722 days | Partial year |
Once the backfill clears in 2023, median TTE collapses to between 15 and 44 days. The mean stays high (440 to 722 days) because the distribution is heavily right-skewed: a long tail of old vulnerabilities getting freshly weaponized pulls the average up while the median holds in the weeks range. Use the median to reason about the typical case and the mean only when you specifically care about the tail.
One caveat, and it cuts in a specific direction. This table is cohorted by the year a CVE was added to the catalog, and right-censoring acts on the publication-year cohort behind it: a CVE published in 2025 that gets exploited slowly will not be added until that exploitation is confirmed, sometimes a year or more later. The visible effect is the split you can already see in the table. Recent additions are a mix of recently-published CVEs exploited fast (which hold the median in the weeks) and freshly-weaponized old CVEs (which drag the mean past 700 days). As the recent publication-year cohorts fill in, their slower-exploited members will land in later catalog years, so the per-publication-year median will sit somewhat higher than 15 to 44 days. Read that range as the speed of the fastest-moving exploited bugs, not as the typical case for a given year's disclosures.
The distribution across the full catalog:
Exploitation Window | Count | % of Catalog |
Zero-day / pre-disclosure (TTE < 0) | 62 | 3.8% |
Within 7 days of disclosure | 304 | 19.6% |
Within 30 days | 412 | 25.6% |
Within 90 days | 529 | 32.8% |
Within 1 year | 776 | 48.1% |
10+ years after disclosure | 74 | 4.6% |
Two ends of this distribution deserve attention. At the fast end, nearly one in five KEVs (19.6%) was exploited within a week of disclosure, and 62 were exploited before NVD even published the CVE. At the slow end, 74 vulnerabilities (4.6%) were exploited 10 or more years after disclosure. Old vulnerabilities do not retire. They sit in the catalog as a standing reminder that an unpatched 2014 bug on a reachable host is still a viable 2026 attack path.
Zero-day rates by year stay in a relatively narrow band:
Year | Zero-Days | Total | Rate |
2021 | 5 | 311 | 1.6% |
2022 | 32 | 555 | 5.8% |
2023 | 11 | 187 | 5.9% |
2024 | 7 | 186 | 3.8% |
2025 | 7 | 245 | 2.9% |
2026 (partial) | 0 | 128 | 0.0% |
Total | 62 | 1,612 | 3.8% |
The 5.8% in 2022 reflects the backfill capturing historically significant zero-days. The modern range of roughly 3 to 6% is the more reliable baseline for how often confirmed-exploited bugs are hit before NVD disclosure. The 2026 figure of 0.0% is almost certainly a censoring artifact rather than a real disappearance of zero-day exploitation: pre-disclosure exploitation is confirmed and cataloged after the fact, so the most recent months will always understate the true rate until the catalog catches up. Do not read it as a trend.
Ransomware Linkage: One in Five, and They Move Faster
Metric | Value |
Ransomware-linked KEVs | 325 (20.2%) |
Ransomware + worst-case profile | 176 (54.2% of ransomware KEVs) |
Ransomware median TTE (non-zero-day) | 256 days |
Non-ransomware median TTE | 388 days |
20.2% of the catalog carries a known ransomware campaign association. Within that subset, 54.2% match the worst-case attacker profile, a notably higher concentration than the catalog-wide 41.6%. Ransomware operators are not exploiting a random slice of KEVs. They are over-indexed on the remote, no-auth, low-complexity bugs, which makes sense for an operation that depends on scale and repeatability.
The TTE comparison points the same direction. Ransomware-linked CVEs carry a 256-day median TTE against 388 days for non-ransomware. Both numbers are inflated by the backfill, so read the gap rather than the absolute values: ransomware-linked bugs get operationalized faster. When a vulnerability fits the ransomware profile, the disclosure-to-exploitation window compresses.
Vendor and Technology Targeting
Vendor concentration is steep. Microsoft alone accounts for 23.4% of the entire catalog, more than the next four vendors combined.
Rank | Vendor | KEVs | % of Catalog |
1 | Microsoft | 377 | 23.4% |
2 | Apple | 93 | 5.8% |
3 | Cisco | 90 | 5.6% |
4 | Adobe | 79 | 4.9% |
5 | 71 | 4.4% | |
6 | Oracle | 43 | 2.7% |
7 | Apache | 39 | 2.4% |
8 | Ivanti | 34 | 2.1% |
9 | D-Link | 26 | 1.6% |
10 | Linux | 26 | 1.6% |
Across 265 distinct vendors, only 27 have 10 or more KEVs. The distribution is a long tail behind a small head dominated by Microsoft, Apple, Cisco, Adobe, and Google.
Read these counts as a function of deployment footprint and research attention as much as attacker preference. The most widely installed and most heavily scrutinized software accumulates the most confirmed-exploited CVEs almost by construction: more targets, more researchers, more disclosed bugs, more chances for any of them to be weaponized. Microsoft topping the list is a statement about ubiquity first and targeting second. The technology-category cut below is subject to the same effect (it is led by Windows, the same install-base story), so read it for the categories that punch above their footprint, not for the raw order.
The technology-category view is where the network-reachability thesis sharpens. Windows OS and VPN/network infrastructure are the two largest categories, together making up 34.5% of the catalog.
Category | KEVs | % |
Windows OS | 284 | 17.6% |
VPN / Network | 273 | 16.9% |
Other | 228 | 14.1% |
Web Server | 143 | 8.9% |
Browser | 140 | 8.7% |
Microsoft Apps | 137 | 8.5% |
Mobile OS | 117 | 7.3% |
Industrial / OT | 50 | 3.1% |
Cloud / Virtualization | 44 | 2.7% |
Dev / Runtime | 43 | 2.7% |
VPN and network gear at 16.9% is the row to sit with, and it is the one that punches above its footprint. These appliances are a far smaller install base than Windows, yet they nearly match it as the second-most-exploited category in the catalog. That is the install-base effect working in reverse: a category this exploited despite this few deployments is being actively sought, not just incidentally counted. These are the devices that exist specifically to be reachable from untrusted networks. The edge that connects you to the world is also the edge attackers reach first.
Vulnerability Classes: The Payload Varies, the Path Dependency Recurs
Among the 1,236 records with CWE mappings, two classes dominate.
Vulnerability Class | KEVs | % of Mapped |
Memory Safety | 379 | 30.7% |
Injection | 272 | 22.0% |
Auth & Access Control | 160 | 12.9% |
Input Validation | 124 | 10.0% |
Path Traversal | 93 | 7.5% |
Deserialization | 64 | 5.2% |
Information Disclosure | 29 | 2.3% |
Privilege Escalation | 27 | 2.2% |
Integer Issues | 23 | 1.9% |
Memory safety (30.7%) and injection (22.0%) together account for more than half of all classified KEVs. This is consistent with decades of vulnerability research, and it is worth noting that the bug classes the industry has spent the most effort trying to eliminate are still the ones getting weaponized at the highest rates. One caveat on the distribution: the 376 unmapped records (23.3% of the catalog) skew toward older CVEs, which lean memory-corruption-heavy, so the true memory-safety share is plausibly higher than 30.7% rather than lower.
But the bug class is the part that changes. A memory-corruption bug in an SSL VPN, a SQL injection in a web application, a deserialization flaw in an app server: these are different root causes requiring different fixes, different secure-coding guidance, different scanners. What most of them share is the part that matters for impact. The roughly three-quarters with a network vector need an inbound path to reach the vulnerable service; the local-vector remainder are typically escalation steps in a chain that already began with network access. And almost all of them, regardless of bug class or vector, depend on an outbound path afterward to reach attacker infrastructure: to pull tooling, beacon, or move toward the objective.
The Trend: Attacker Selection Is Sharpening
Stitch the per-year attack profiles together and the direction is unambiguous.
Year | KEVs | Network AV | Ransomware | Worst-Case |
2021 | 311 | 226 (73%) | 76 (24%) | 120 (39%) |
2022 | 555 | 379 (68%) | 125 (23%) | 210 (38%) |
2023 | 187 | 129 (69%) | 43 (23%) | 75 (40%) |
2024 | 186 | 147 (79%) | 42 (23%) | 93 (50%) |
2025 | 245 | 192 (78%) | 25 (10%) | 114 (47%) |
2026 (partial) | 128 | 101 (79%) | 14 (11%) | 58 (45%) |
Three movements stand out. Network-accessible share climbed from the 68 to 73% range in 2021 through 2023 to a steady 78 to 79% in 2024 through 2026. The worst-case profile rose from 38 to 40% to 45 to 50% over the same period. Ransomware share appears to drop from the low 20s to the low teens, but read that one with caution. CISA's knownRansomwareCampaignUse tag is applied after a ransomware campaign is observed and attributed to a CVE, so the most recent years are systematically under-tagged and will rise as attribution catches up. The apparent decline is mostly a reporting-lag artifact, not evidence that ransomware operators are backing off.
The two trends that matter for defenders both point the wrong way. The vulnerabilities entering the catalog are getting more network-reachable and more trivially exploitable over time, not less. Whatever the industry is doing on secure development and pre-disclosure hardening, the exploited population is shifting toward the easy, remote end of the spectrum. The censoring caveat applies here too, since fast-surfacing recent bugs skew network-facing, but the shift is already visible by 2024, a cohort mature enough to trust, so the direction is real even if the most recent points firm up later.
What the Catalog Says Attackers Are Doing
Collapse every section above into a single composite and you get a behavioral profile of the typical KEV-exploiting attacker, drawn entirely from the 1,612 choices in the catalog.
They go after internet-facing infrastructure. 72.8% of what they weaponize is network-accessible, and the two largest technology categories are Windows OS (17.6%) and VPN/network gear (16.9%), the systems most likely to be exposed to untrusted networks by design.
They prefer targets that ask nothing of them. 60.6% of their picks require no authentication over the network, 73.1% require no user interaction, and 93.9% are low-complexity. They are not building elaborate social-engineering chains or winning race conditions. For 41.6% of the catalog, the entire precondition is a reachable host that answers.
They move fast, and faster on the bugs that pay. Modern median time-to-exploitation is 15 to 44 days, nearly one in five KEVs is weaponized within a week of disclosure, and 3.8% are hit before NVD even publishes the CVE. Ransomware-linked vulnerabilities, 20.2% of the catalog, are operationalized faster still and are over-indexed on the worst-case profile (54.2% versus the catalog's 41.6%).
They do not let old bugs die. 74 vulnerabilities (4.6%) were exploited 10 or more years after disclosure. An unpatched, reachable service does not age out of the threat model.
And they are getting more selective in exactly the direction that should worry defenders. Year over year, the share of their picks that are network-accessible and trivially exploitable is rising, not falling. This is not a static profile. It is sharpening toward the remote, unauthenticated, point-and-shoot end of the spectrum.
That is what attackers are doing, stated as behavior rather than as a list of CVEs. The next question is what, if anything, ties all of it together.
The Common Denominator
Run every cut of this dataset and the same theme survives. 72.8% network-accessible. 60.6% reachable with no privileges over the network. 41.6% worst-case, climbing toward 50%. The top vendor is the most deployed OS on earth and the second-largest category is the gear whose entire job is to be reachable. The bug classes vary, the vendors vary, the vectors vary. What recurs is a dependency on paths: an inbound path to reach the target for the network-vector majority, and an outbound path to act for nearly everything regardless of vector.
Even the 25.4% that are local-vector do not break this. Those are rarely an attacker's front door. They are the privilege-escalation and sandbox-escape steps that follow an initial network foothold, and once the attacker has code running, they still depend on the same outbound paths to turn that foothold into an incident. Inbound reachability is the entry condition for most of the catalog. Outbound reachability is the impact condition for almost all of it.
This is why patch velocity, on its own, is a losing race, a point a separate analysis of one billion KEV remediation records makes directly. With a modern median TTE in the weeks and a meaningful zero-day rate, the disclosure-to-exploitation window is frequently shorter than the disclosure-to-remediation window. You cannot reliably win a race that, for the zero-day slice, starts before you have a CVE number to scan for.
The one dependency that holds across the dataset, regardless of vector, is the path out. Initial access through a network-vector bug or escalation through a local one both still require the compromised workload to reach attacker infrastructure before the compromise becomes an incident: to retrieve tooling, establish a control channel, or move toward a target. That outbound requirement is the part of the chain a defender can constrain without first knowing which CVE is in play. It is the premise behind Communication Governance: govern what each workload is permitted to communicate with, deny the rest by default, and the control acts on the shared dependency rather than on the specific bug. It does not prevent exploitation. Code still executes, and a determined operator will probe whatever paths are left open, so the policy has to be narrow and monitored to mean anything. What changes is scope. The reachable set drops from the open internet to a small, inspectable allowlist, and the Blast Radius of any single exploit becomes a function of architecture rather than of patch timing or detection speed.
The data reframes the operative question more than it prescribes a product. "Is this patched in time" is a race the recent time-to-exploitation numbers show defenders frequently losing. "If this is exploited, what can it reach" is answered by configuration rather than by speed. Shifting weight from the first question to the second is the logic behind what we have called the Containment Era, and the KEV catalog reads as a fairly direct argument for it.
None of this argues against patching. The catalog remains the best-curated patch-prioritization signal available, and the correct response to it is to remediate its contents quickly. The narrower point is that patching is necessary and, on the timelines this data documents, insufficient on its own. The catalog is a record of attacker preference, and that preference is consistently for the reachable target. Constraining reachability, inbound and outbound, addresses the property the dataset actually selects for, independent of which bug class surfaces next.
Conclusion
The CISA KEV catalog filters 200,630 disclosed CVEs down to the 1,612 that attackers actually operationalize, and that filter is remarkably consistent about what it selects. Network-reachable. Unauthenticated. Low-complexity. High-severity. Getting more so every year. The bug classes and vendors are noise around a recurring signal: impact depends on a path, inbound to reach the target or outbound to act on it, and the catalog is a list of the paths attackers found worth taking.
For practitioners, the implication is twofold. Keep patching, because managing the inventory is table stakes, but stop treating the CVE firehose and the KEV catalog as the same kind of data. The CVE list tells you what exists. The KEV list tells you what the adversary decided to use, and reading it as behavioral telemetry rather than as a longer patch queue changes what you prioritize. Reachability belongs alongside CVSS and patch SLA as a first-class triage dimension, because across this dataset it is the variable that most consistently separates the vulnerabilities attackers operationalize from the ones they leave alone.
That is the underlying reason to study attacker patterns at all. Defensive time, headcount, and attention are finite, and nearly every environment carries more vulnerabilities, more alerts, and more competing priorities than any team can work through. Deciding where to spend that finite effort is the actual job, and the most reliable guide is what attackers demonstrably do rather than what they could theoretically attempt. The KEV catalog, read in aggregate, points to the same place across vendors, bug classes, and years: the reachability of exposed services. That is a finding any defender can act on, with or without a particular tool, by letting the data the adversary leaves behind set the agenda for where the work goes first.
The full enriched dataset, methodology, and per-field source queries are available through the Aviatrix Threat Research Center for anyone who wants to reproduce or extend the analysis. The same reachability lens can be applied to a specific environment through a Workload Attack Path Assessment.
Data Notes
All figures were independently computed from an enrichment of the complete CISA KEV catalog (1,612 records, date_added 2021-11-03 through 2026-06-05) joined against the NVD CVE API 2.0 at 100% coverage. CVSS uses the best available version per record (v3.1 > v3.0 > v4.0 > v2.0). CWE-based class percentages are calculated against the 1,236 records (76.7%) carrying a CWE mapping. Time-to-exploitation is measured from NVD published to CISA date_added and is subject to the backfill and definitional caveats described in the Methodology section. 2026 is a partial year through June 5, 2026.
