Blog CISA Keeps a Running List of Vulnerabilities Hackers Are Exploiting Right Now
NGCC Blog

CISA Keeps a Running List of Vulnerabilities Hackers Are Exploiting Right Now

IowaPatch ManagementLocal GovernmentK-12CISA
Jose Francisco Caro · April 14, 2026 · 4 min read
EN ES
← PreviousIntegrating the Kill Chain and Diamond Models: Lessons from the APT29 SolarWinds Campaign

I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure grammar is accurate.

CISA Keeps a Running List of Vulnerabilities Hackers Are Exploiting Right Now

Microsoft’s Windows OS is everywhere. Every single machine has a patch history of updates that were applied and those that weren’t.

Here’s the uncomfortable truth: attackers know exactly which Windows vulnerabilities are still unpatched on networks like yours. They share that information. They write tools around it. They run scans looking for it.

CISA — the federal Cybersecurity and Infrastructure Security Agency knows this. So they built a public list.

The Known Exploited Vulnerabilities Catalog

The CISA KEV Catalog is a free, regularly updated list of software vulnerabilities that attackers are actively exploiting right now, not in theory, not in a lab. In real attacks, on real networks.

As of early 2026, the catalog has over 1,200 entries. Windows accounts for a significant slice of that list. Not because Windows is uniquely bad software, but because it’s ubiquitous. When attackers find something that works across millions of machines, they use it.

What makes KEV different from a general vulnerability database is the bar for inclusion. A vulnerability only makes the list when CISA has evidence it’s being weaponized. That makes it a practical triage tool, not just an academic reference.

What This Means for Your Organization

If you’re running Windows, and most organizations are, some of those catalog entries apply to software you have installed right now.

You don’t need to patch every vulnerability. That’s an impossible task for a small IT shop. But you should know which attackers are already using them, because they are most likely to appear on your network.

A few Windows vulnerabilities that have appeared on the KEV list in recent years:

  • PrintNightmare (Windows Print Spooler) — exploited by ransomware groups to move through networks
  • Follina (Microsoft Office) — exploited via a Word document, no macro required
  • Windows Common Log File System Driver vulnerabilities — used repeatedly in ransomware campaigns

Your organization may have already patched these. It may not have. The point is: the KEV catalog tells you where to look first.

What to Do This Week

You don’t need a security team to use the KEV catalog. Here’s how to start.

1. Subscribe to CISA’s KEV alert feed. Go to cisa.gov/known-exploited-vulnerabilities-catalog and subscribe to updates. CISA adds new entries when new vulnerabilities are confirmed to have been exploited. You want to know the same week they do.

2. Cross-reference against your Windows environment. When a new Windows entry appears, check whether your machines are running the affected version. Microsoft’s update history pages are free and searchable by CVE number — the identifier listed in each KEV entry.

3. Prioritize KEV entries over everything else. If your patching process is backlogged — and most small organizations’ are — use KEV as your triage filter. Patch those first. Everything else can wait another week.

4. Check your Windows Update settings. If Windows Update is enabled and automatic, many of these patches may already be applied. Confirm it. Don’t assume. Go to Settings → Windows Update → Update History and look at what’s actually been installed.

The One Thing to Take Away

There’s a free, federally maintained list of the exact vulnerabilities attackers are exploiting right now. It includes Windows. It’s updated constantly.

Bookmark it today: cisa.gov/known-exploited-vulnerabilities-catalog

You don’t have to fix everything. But you should know what’s on that list.

Sources

Jose Francisco Caro
Written by
Jose Francisco Caro

Jose Francisco Caro is a cybersecurity professional, currently serving in the Iowa Army National Guard, and the founder of Nueva Guardia Cyber Consulting. Building NGCC to open doors for the next generation of professionals who need someone to point the way — and to bring security to the small businesses, schools, and local governments that are the backbone of our communities.

Connect on LinkedIn →
← PreviousIntegrating the Kill Chain and Diamond Models: Lessons from the APT29 SolarWinds Campaign
Related Posts
Iowa
Integrating the Kill Chain and Diamond Models: Lessons from the APT29 SolarWinds Campaign
Apr 9, 2026 · 12 min read
Iowa
Is Your Work Email in a Data Breach? Here’s How to Check
Apr 9, 2026 · 3 min read
Iowa
Measure Your Phishing Risk for Free — and Know Exactly Where to Start
Apr 2, 2026 · 5 min min read