The Cybersecurity and Infrastructure Security Agency (CISA) unveiled a new nomination form for its Known Exploited Vulnerabilities catalog on Thursday, inviting researchers, vendors and other industry partners to report their findings.The new reporting avenue aims to engage the wide cybersecurity community to more quickly identify vulnerabilities under exploitation as the time-to-exploit (TTE) for newly disclosed vulnerabilities continues to narrow. “Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale,” said Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity, in a statement. “CISA strongly encourages researchers and organizations to share vulnerability threats and help us secure the systems Americans rely on every day.”A blog post from 2023 lends some insight into the challenges CISA faces identifying and validating exploited vulnerabilities without a more direct means of nomination.Vulnerabilities considered for KEV submission must have an assigned CVE number, credible evidence of exploitation in the wild and an effective mitigation available.Former Executive Assistant Director for Cybersecurity Eric Goldstein, Vulnerability Analyst Elizabeth Cardona and former Cyber Security Section Chief Tod Beardsley described a process of “chasing whispers of exploitation in the wild that circulate online,” “sorting through vast amounts of data” and doing “detective work” to validate genuine malicious exploitation, which includes distinguishing between exploitation and simple scanning and reconnaissance.The CISA officials also wrote about difficulty finding remediation information for some exploited vulnerabilities, saying the process can take days.“Our team spends hours scouring security forums, manufacturer websites, open-source mailing lists, end-of-life announcements, and vulnerability databases to search for a patch or official mitigation guidance,” the blog states.As revealed by Verizon’s 2026 Data Breach Investigations Report (DBIR), published this week, patching of KEV vulnerabilities by organizations is not much faster now than it was in 2023, yet organizations are dealing with more vulnerability instances than ever before.The report found that about 71% of KEV vulnerability instances remained unpatched after seven days in 2023 compared with 69% in 2025, and in both years, 35% remained unpatched on Day 28. Yet in 2023, only about 120.8 million vulnerability instances were recorded, compared with 527.3 million in 2025. The current median time for full remediation of KEV vulnerabilities per organization is 43 days.Meanwhile the average TTE for newly disclosed vulnerabilities was estimated to be as little as five days in 2025, with recent cases such as the Linux “Copy Fail” vulnerability showing exploitation within 48 hours.As the industry anticipates even more rapid vulnerability discovery and exploitation development driven by AI tools such as Claude Mythos Preview, CISA is reportedly considering shortening the average KEV deadline for federal civilian executive branch agencies from about two to three weeks to just three days.
Vulnerability Management, Government security
You can now nominate vulnerabilities for CISA’s KEV with this form

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



