Understanding CISA Known Exploited Vulnerabilities (KEVs)
What KEVs are, why they matter for Mac admins, and how to respond when Apple vulnerabilities appear on the CISA catalog
When a vulnerability moves from theoretical risk to confirmed, in-the-wild exploitation, it lands on one of the most important lists in cybersecurity: the CISA Known Exploited Vulnerabilities (KEV) Catalog. For Mac administrators managing device fleets, a new Apple KEV entry is the signal to stop planning and start deploying.
What Is the CISA KEV Catalog?
The Cybersecurity and Infrastructure Security Agency (CISA) maintains the KEV Catalog as a curated list of vulnerabilities that have been actively exploited in the wild. Unlike the broader National Vulnerability Database, which tracks all publicly disclosed vulnerabilities, the KEV Catalog is narrowly focused on confirmed threats.
CISA launched the catalog in November 2021 alongside Binding Operational Directive (BOD) 22-01, which requires federal civilian agencies to remediate KEV entries within strict deadlines. While only federal agencies are legally bound by BOD 22-01, CISA strongly recommends that all organizations treat the catalog as a prioritization baseline.
Criteria for KEV Inclusion
A vulnerability must meet all three criteria to be added:
- Assigned a CVE ID – The vulnerability has a Common Vulnerabilities and Exposures identifier.
- Active exploitation – Credible evidence exists that the vulnerability is being exploited in the wild, not just in proof-of-concept code.
- Clear remediation action – A vendor patch, mitigation, or workaround is available (CISA does not add vulnerabilities with no fix).
Why Mac Admins Should Care
Apple devices are not immune to KEV entries. Apple has been a regular presence on the catalog, with WebKit zero-days, kernel vulnerabilities, and IOKit flaws appearing consistently. When Apple issues a Rapid Security Response or emergency update, it often coincides with a new KEV entry.
Key reasons to track KEVs:
- Confirmed exploitation – These are not theoretical risks. Attackers are using them right now.
- Remediation deadlines – Even outside federal mandates, the KEV deadline provides a reasonable SLA for your own patch policy.
- Audit and compliance – Frameworks like CIS Controls increasingly reference KEV status as a prioritization factor.
- Executive communication – Telling leadership “this vulnerability is on the CISA KEV list” carries weight when justifying emergency maintenance windows.
How to Check for Apple KEVs
The KEV Catalog is available as a JSON feed, making it straightforward to query from the command line.
Download and Search the Full Catalog
# Download the KEV catalog and filter for Apple entries
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
| jq '[.vulnerabilities[] | select(.vendorProject == "Apple")]'
Check for KEVs Added in the Last 30 Days
# Find Apple KEVs added in the last 30 days
THIRTY_DAYS_AGO=$(date -v-30d +%Y-%m-%d)
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
| jq --arg since "$THIRTY_DAYS_AGO" \
'[.vulnerabilities[] | select(.vendorProject == "Apple" and .dateAdded >= $since)]'
Quick Count of Apple KEVs
# Count total Apple KEVs in the catalog
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
| jq '[.vulnerabilities[] | select(.vendorProject == "Apple")] | length'
Tip: Bookmark the CISA KEV Catalog page at https://www.cisa.gov/known-exploited-vulnerabilities-catalog for a searchable web interface.
Responding to Apple KEVs
When an Apple vulnerability appears on the KEV Catalog, your response should follow a predictable pattern:
1. Assess the Scope
Determine which of your managed devices are affected. Check the Apple security release notes and cross-reference with your fleet’s OS versions.
# On an individual Mac, check the current OS version
sw_vers
# Check for available updates
softwareupdate --list
2. Deploy the Patch via MDM
Use your management tools to push the update fleet-wide:
- Jamf Pro – Create a Smart Group targeting affected OS versions and deploy the update via a policy or the macOS Upgrades workflow.
- Munki – Add the update to a forced install manifest with an appropriate
force_install_after_date. - Nudge – Configure the
requiredMinimumOSVersionto the patched release to encourage user-initiated updates with escalating urgency.
3. Verify Remediation
After deployment, confirm devices have updated:
# Query Jamf Pro API for devices below the target OS version
curl -s -H "Authorization: Bearer $JAMF_TOKEN" \
"https://your-jamf-instance.com/api/v1/computers-inventory?filter=osVersion<15.3.1" \
| jq '.results[] | {name: .general.name, os: .operatingSystem.version}'
KEV vs CVE: Understanding the Difference
| Attribute | CVE | KEV |
|---|---|---|
| Maintained by | MITRE Corporation / CVE Program | CISA |
| Scope | All publicly disclosed vulnerabilities | Only actively exploited vulnerabilities |
| Volume | 200,000+ entries | ~1,200 entries |
| Inclusion criteria | Unique, independently fixable flaw | CVE assigned + active exploitation + fix available |
| Mandate | No remediation requirement | Federal agencies must patch by deadline |
| Severity filtering | None (all severities) | None (all severities, but all are confirmed threats) |
Key takeaway: Every KEV has a CVE, but the vast majority of CVEs will never become KEVs. The KEV list is your signal-to-noise filter.
Automating KEV Monitoring
For ongoing awareness, set up a lightweight monitoring script:
#!/bin/bash
# kev-monitor.sh -- Check for new Apple KEVs daily
# Add to crontab: 0 9 * * * /path/to/kev-monitor.sh
KEV_URL="https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
CACHE_FILE="/tmp/kev_last_check.txt"
TODAY=$(date +%Y-%m-%d)
# Get Apple KEVs added since last check
LAST_CHECK=$(cat "$CACHE_FILE" 2>/dev/null || echo "1970-01-01")
NEW_KEVS=$(curl -s "$KEV_URL" \
| jq --arg since "$LAST_CHECK" \
'[.vulnerabilities[] | select(.vendorProject == "Apple" and .dateAdded > $since)]')
COUNT=$(echo "$NEW_KEVS" | jq 'length')
if [ "$COUNT" -gt 0 ]; then
echo "ALERT: $COUNT new Apple KEV(s) found since $LAST_CHECK"
echo "$NEW_KEVS" | jq '.[] | "\(.cveID) - \(.vulnerabilityName) (Due: \(.dueDate))"'
fi
echo "$TODAY" > "$CACHE_FILE"
Real-World Apple KEV Examples
Apple vulnerabilities have appeared on the KEV Catalog with notable frequency. Some representative examples:
- WebKit zero-days – Multiple CVEs targeting Safari’s rendering engine, often exploited for spyware delivery. These typically arrive as Rapid Security Responses.
- Kernel privilege escalation – IOKit and XNU kernel flaws that allow sandboxed apps to gain elevated privileges, frequently chained with WebKit bugs.
- Security framework bypasses – Vulnerabilities in Gatekeeper, TCC, or the Transparency framework that let malware circumvent macOS protections.
Each of these categories has produced KEV entries, reinforcing that macOS is a regular target and patching delays carry real risk.
Next Steps
- Learn how vulnerability identifiers work: What Is a CVE?
- Understand how severity is measured: Understanding CVSS Scores
- Explore the broader vulnerability database: What Is the NVD?