The US Cybersecurity and Infrastructure Security Agency (CISA) is making it easier for organizations and defenders to report vulnerabilities that qualify for its Known Exploited Vulnerabilities (KEV) Catalog.
-
CISA launched a new online form to streamline reporting of vulnerabilities actively exploited in cyberattacks.
-
The agency says faster KEV nominations could improve how quickly organizations respond to high-risk CVEs already circulating in the wild.
-
Submitted vulnerabilities must include a CVE ID, evidence of exploitation, and mitigation guidance before being considered for the KEV catalog.
The US cybersecurity watchdog agency announced on Thursday the release of a new Known Exploited Vulnerability (KEV) online nomination portal, aimed at streamlining the vulnerability intake process.
“This new reporting capability enhances CISA’s ability to quickly identify, validate, and share KEVs, critical threat information,” said Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity.
The new nomination process will allow faster handling of new reports, as well as faster and improved analysis, the agency said.
“Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale,” Butera said.
How the KEV Catalog works
CISA, which has been responsible for maintaining and updating the KEV catalog since May 2022, says improving the intake process will help organizations proactively keep pace with known vulnerabilities already being exploited out in the wild.
“Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities… helping us secure the systems Americans rely on every day,” Butera said.
The KEV Catalog is essentially a running list of all Common Vulnerabilities and Exposures – more widely known as CVEs – that are confirmed to have been used by threat actors in real-world cyberattacks.
Launched in November 2021 with roughly 300 entries dating back to 2002, it now has more than 1500 vulnerabilities listed as of December 2025.
What organizations must provide in submissions
Described as a secure, web-based tool, CISA says any vulnerabilities submitted using the form must have an assigned CVE ID, evidence of exploitation, and clear mitigation guidance.
After a brief introduction, the form takes the user through a series of Yes or No questions that provide more details about the vulnerability, including whether there is:
- Evidence of active or past exploitation
- Potential impact across multiple vendors or products
The user is then prompted to supply evidence of exploitation, provide a link to the patch or mitigation guidance, and then a final page to add any other relevant information.
CISA says that in addition to the new online form, organizations will still be able to nominate vulnerabilities through its original email submission process at [email protected].
The agency "strongly recommends" organizations monitor the KEV catalog and prioritize patching as part of their vulnerability management framework to "reduce the likelihood of compromise by known threat actors."
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked