Exploitation Is Concentrated: Why Patch Prioritization Should Follow KEV, Not CVSS
Executive summary
Across the entire CISA Known Exploited Vulnerabilities catalog (1631 CVEs confirmed exploited in the wild), real-world exploitation is dramatically concentrated. The top five vendors account for 43.8% of every entry; the top ten for 54.3%. A vulnerability-management program that ranks work by CVSS treats a rarely-touched flaw and a mass-exploited one as equals. Ranking by KEV presence, ransomware association, and CISA's assigned remediation window does not.
Every security team faces the same arithmetic: far more CVEs are published than any team can patch immediately, so something has to decide the order. For most organizations that "something" is still CVSS base score. It is the wrong instrument for the job — not because the score is inaccurate, but because it measures the wrong thing. CVSS estimates how bad exploitation would be. It says nothing about whether exploitation is actually happening. The CISA KEV catalog answers exactly that question, and when you analyze it in aggregate, the signal is unusually clean.
Finding 1 — A handful of vendors carry most of the risk
Microsoft alone accounts for 23.2% of the entire catalog — 378 distinct CVEs confirmed exploited in the wild. Cisco, the next-largest, sits at 5.7%. This is not a knock on any vendor; large install bases attract attackers. It is a planning fact: your exposure to confirmed exploitation is dominated by a small set of technologies, and your patch cadence for those should be structurally faster than for everything else.
Finding 2 — One in five exploited CVEs is ransomware-linked
20.1% of catalog entries (328 CVEs) are flagged by CISA as used in known ransomware campaigns. For Microsoft, that share is 27.5%. Ransomware association is the single most actionable enrichment in the catalog, because it maps a vulnerability directly to the outcome executives care about most. A KEV entry with a ransomware flag is not a patch ticket — it is a business-continuity control, and should be routed and escalated as one.
Finding 3 — CISA's remediation windows are a free urgency signal
Each KEV entry carries a federal remediation deadline. The median window across the catalog is 21 days, but it is not uniform: CISA assigns tighter deadlines to the threats it assesses as most urgent. Juniper entries carry a median window of just 4 days. Most teams never look at this field. It is, in effect, a government-funded triage label sitting unused in a public feed.
What to do with this
- Add a KEV gate to your VM workflow. Any CVE present in the KEV catalog jumps the queue regardless of CVSS. This is now US federal baseline (BOD 22-01); adopt it whether or not you are required to.
- Structurally accelerate your top KEV vendors. Build a faster patch lane for the product families that dominate the catalog for your stack — for most organizations that starts with Microsoft.
- Escalate the ransomware flag. Route ransomware-linked KEV entries to business-continuity owners, not just the patch queue.
- Inherit CISA's deadlines. Use the remediation window as your internal SLA. It is a defensible, externally-sourced urgency label.
- Detect while you patch. Patching takes time; deploy detections for KEV entries in parallel. Our detection pack ships traceable Sigma rules for the highest-priority entries in this dataset.
None of this requires a threat-intelligence subscription or a proprietary risk score. It requires treating a free, authoritative, public dataset as the prioritization backbone it already is. The full figures behind this analysis — vendor rankings, ransomware shares, remediation windows, and monthly velocity — are published as the Exploitation Velocity Index, updated from the catalog and downloadable as JSON so you can reproduce every number here.
✓ Sources & reproducibility
- CISA Known Exploited Vulnerabilities Catalog — primary dataset (v2026.07.01)
- CISA BOD 22-01 — the directive establishing KEV remediation deadlines
- Exploitation Velocity Index — the derived dataset and full methodology behind every figure
- exploitation-velocity-index.json — machine-readable data (CC BY 4.0)
Operationalize it
Traceable Sigma detections for the highest-priority KEV entries — every rule linked to its CVE, KEV date, and vendor advisory.