CISA logo

How the CISA catalog of vulnerabilities can help your organization

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a “known exploited vulnerabilities catalog” which can be useful if you need help prioritizing the patching of vulnerabilities. In essence it is a long list of vulnerabilities that are actually being used by criminals to do harm, with deadlines for fixing them.

Many organizations are running a plethora of software and Internet-facing devices and vulnerabilities that can be used to exploit them are found every day. Everybody knows they need to patch, but deciding what to patch when, and then finding time and resources to do it, are a significant challenges.

If you are having difficulty deciding what to patch next whether you use a vulnerability and patch management service or not, the CISA catalog offers useful guidance to help you decide what to focus on.

BOD 22-01

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 in November 2021. The directive established the catalog and bound everyone operating federal information systems to abide by it.

Two things made the directive stand out. The first was that it was based on what was actively being exploited, rather than an abstract severity score, like CVSS. The second was that it mandated specific—and very tight—deadlines, for vulnerabilities to be dealt with. Although agencies were given a longer grace period to handle historic vulnerabilities, they only had two weeks to patch anything new—the blink of an eye in patching terms.

At first the catalog focused on vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold suitable for data theft or ransomware.

Later, around the start of the war in Ukraine, CISA added a long list of vulnerabilities that threat actors can use to disrupt operations and networks. Actions that do not lead to financial gain, but can be used in a conflict.

Because it’s based on what criminals are actually exploiting, your organization might still want to feed the catalog into its patch management strategy, even if it isn’t a federal agency that’s obliged to.

The catalog has 9 columns:

  • The CVE number of the vulnerability.
  • Vendor/Project
  • Product
  • Vulnerability Name
  • Date Added to Catalog
  • Short Description (of the vulnerability)
  • Action: What needs to be done to mitigate the vulnerability
  • Due Date: by when the action needs to be completed by FCEB agencies.
  • Notes: point to Emergency Directives about the vulnerability or vendor sites that discuss the vulnerability.
catalog header with sort buttons

If you’re responsible for keeping your organization’s systems secure, you will already know that having a network inventory is critical: To be effective, you have to know what to protect. With that network inventory in hand, it’s good to know that the catalog can be sorted, among others, by Vendor/Project, by Product, and by Due Date.


Because the list is regularly updated you will want to keep an eye out for changes, once you are caught up. To make things easier, you can subscribe to receive updates. We also suggest you check out Malwarebytes’ patch management solution, and finally, make sure you ditch any software that has reached its end-of-life (EOL) and is beyond the scope of security updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.