The KEV gap: not shrinking, but interesting

CISA’s Known Exploited Vulnerabilities (KEV) catalog is the list of CVEs confirmed to be used by attackers. Federal civilian agencies have to patch them on a deadline; private security teams treat the same list as their top triage queue. Every CVE that lands on KEV has two dates that matter — when the CVE was published, and when the CVE was turned into a KEV — and the interval between them is the “KEV gap.” When the gap is small, CISA’s intel pipeline is keeping pace with how attackers use new vulnerabilities. When it’s large, either attackers picked up an old bug, or CISA learned late. You might assume the gap is shrinking. The data says the opposite — and something more interesting.

What the data shows

Each month, CISA adds new CVEs to the KEV catalog. For each addition: how many days passed between NVD publishing the CVE and CISA adding it to KEV. That number is bimodal. About four in ten land within a week. The rest stretches into a legacy tail: the p90 (the 90th percentile — 9 in 10 cases fall below it) sits around four-and-a-half years.

Why the median moves around

Two flows feed the monthly number. The first flow is the “fast track”: CVEs that CISA adds within days of publication, usually because the vulnerability is already being exploited in the wild and CISA has the intelligence to know. The second flow is the “catch up”: CVEs from years ago that CISA adds now, sometimes because new attacker tooling re-popularised an old bug, sometimes as part of catalog cleanup. The monthly median depends on the mix. A fast-track month looks like a 5-day gap; a month with several legacy adds can push the median into the hundreds of days.

A defensible floor on “exploited at issuance”

What fraction of CVEs are marked as KEVs within a few days of publication? Those are the cases where CISA almost certainly had intelligence on active exploitation before the public CVE went live. The share is consistent: a bit over a third of every month’s KEV adds since 2023 land within seven days of the CVE’s NVD publish date.

That share is a defensible floor on the fraction of KEV CVEs exploited at issuance. The true fraction is higher: some bugs exploited at issuance only reach KEV weeks later, when CISA gets confirmation. The within-7-days share is just what we can read off the timing. Treating ~38% of KEV adds as “active at issuance” is conservative.

EPSS as a second signal

EPSS, the Exploit Prediction Scoring System maintained by FIRST.org, is a daily 30-day exploitation-probability score attached to every CVE. The natural follow-up question: does EPSS rise before CISA lists the CVE on KEV, giving defenders an earlier warning? For every KEV CVE since 2023 we found the earliest date EPSS reached 0.10 (a conventional “elevated” threshold) and compared it to the day CISA added the CVE.

The hypothesis was that EPSS would lead KEV. The data says otherwise: EPSS led by any positive amount for only 19% of KEV CVEs (16% by 30+ days). For the other 58%, KEV listing came first and EPSS only rose afterwards; for 23%, EPSS never crossed 0.10 at all. The likely reason is that FIRST.org’s model treats KEV listing itself as a feature, so once CISA acts, EPSS catches up. But for the green subset — the ~20% where EPSS does lead — the lead time is substantial: a median of 198 days. EPSS is a useful early warning for a meaningful minority of KEV CVEs; for the majority, KEV remains the leading signal.

Caveats

The KEV addition date is when CISA added, not when exploitation began. A 200-day gap doesn’t mean 200 quiet days. Either the exploit existed all along and CISA found out late, or attackers picked up a legacy bug only recently. The gap is a process signal as much as an attacker-tempo signal, so the “not shrinking” finding shouldn’t be read as “CISA is getting slower.” A more accurate reading is that CISA’s catch-up backfill workload has grown alongside its fast-track work, and the two pull the median in opposite directions.