On a Wednesday morning, the IT manager of an online retailer was sifting through the usual stack of system reports. There were no alarms or blinking lights, just an unassuming remark from a standard security scan. The company’s website had been operating for years, processing orders, storing customer details, and humming along without issue. But today, the report registered an anomaly in the database: a line of code that didn’t belong.
What no one at the company realized was that an outsider had been living in their system for six years—a computer code hidden deep in a software add-on from a third-party vendor. It had allowed cyber actors to infiltrate sensitive data, including customer names and payment information. The breach wasn’t startling. No ransom notes appeared. No computers were locked down. It was a persistent, unnoticed risk that quietly blended in.
Stories like this aren’t uncommon, largely because businesses rely on technology every day to manage client data, process sales, and communicate with in-house teams and outside vendors. And while most software works as intended, it’s common for minor flaws or gaps to exist—mainly because of the complexity of the technology.
Because these flaws often go unnoticed by developers, the U.S. government publishes online lists of known vulnerabilities to urge developers to build patches (fix the code), and help businesses stay secure. As explained in Battlefield Cyber: How China and Russia are Undermining Our Democracy and National Security by authors Michael McLaughlin and William J. Holstein, the authors state: “those patches take time and human resources to install. As a result, too many companies and agencies are slow to implement them—or do not implement them at all.” This leaves the door open for attackers to act on what’s already public knowledge. Although most gaps never develop into a major issue, it’s the rare, chosen weaknesses that deserve attention.
This is where two little-known but powerful resources come in: CVE and KVE. Most business owners haven’t heard of them, but the CVE (Common Vulnerabilities and Exposures) and KEV (Known Exploited Vulnerabilities) databases are the little black books of how security professionals track and prioritize software flaws. They are especially useful for anyone who aspires to be more informed about what lurks within the walls of their software. And you don’t need to get lost in technical jargon.
Cybersecurity experts discover thousands of software weaknesses each year. To keep track, they assign a unique identifier to each one, much like a serial number. The CVE system has been posting cybersecurity vulnerabilities since 1999. It’s the universal naming system used across the industry.
Now, here’s the crucial distinction: every vulnerability in the KEV catalog began as a CVE. But what moves a CVE to the KEV catalog is validation—confirmation that attackers are actively using that specific vulnerability to break into systems.
So, while every KEV is in fact a CVE, only a tiny fraction of the thousands of identified CVEs ever graduate to the KEV list. This transformation from merely being ‘known’ to ‘known and actively exploited’ is what shifts it to an immediate problem.
The KEV catalog, which was started by The Cybersecurity and Infrastructure Security Agency (CISA), focuses on what is crucial. These are the confirmed weak points that cyber criminals, ranging from sophisticated syndicates to nation-state sponsored groups, are eager to exploit and compromise operations.
The KEV catalog tells you where the real present danger lies. It’s a sensible approach to cybersecurity, allowing you to direct your limited resources of time and budget to addressing the most immediate risks to your business and data integrity.
What I appreciate about the KEV catalog is that it’s free for everyone. Cybersecurity experts manage and track current exploitations. It’s one of the vast services offered by CISA, and you don’t need to be a cybersecurity specialist to use it.
The catalog isn’t about inundating you with information; it offers a clear view of what’s urgent. Each entry tells you the official CVE number, which software is affected, what the vulnerability does, and the recommended fix. I review the list a few times a month; if I see a software program I rely on, that’s my signal to take action. For simple solutions, such as running an update, I may handle it myself; otherwise, I will contact IT support for further investigation.
While I love CISA for everything they offer, I find the website lacks visual and user appeal. They have useful content, but it’s often hiding in plain sight. Getting to the KEV listing takes some navigation, but if you are patient, it’s an outstanding resource.
If you don’t frequently check websites, I recommend subscribing to CISA’s KEV email updates; they will notify you with additions to the KEV catalog and important announcements. It’s a small step that can make a big difference—helping you stay aware of the threats that matter, without getting lost in the noise.
Michael Civisca is a freelance contributor for Atlantic Data Security. ADS has established themselves as a pioneer in the cybersecurity industry with customized solutions for their clients for over thirty years. Talk to an advisor and learn more about managed security services, endpoint security, and cybersecurity trainings at Atlantic Data Security. Follow us on LinkedIn, and read more in our resource blog.
The CISA Known Exploited Vulnerabilities Catalog: The authoritative, real-time list of vulnerabilities under attack.
Atlantic Data Security Blog: Key Principles of Zero Trust Cybersecurity: How organizations combine effective cybersecurity and business flexibility
Atlantic Data Security: What is the CVSS?: The Common Vulnerability Scoring System
How a 6-Year-Old Backdoor Compromised eCommerce
(Book) Battlefield Cyber: How China and Russia are Undermining Our Democracy and National Security (Amazon): Insightful background on the realities of software vulnerabilities.