CISA Known Exploit Vulnerability (KEV) Integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CISA Known Exploit Vulnerability (KEV) Integration

    The CISA Known Exploit Vulnerability (KEV) Integration enhances the Vulnerability Response capabilities by ingesting data from the CISA KEV catalog. This integration is crucial for prioritizing and remediating actively exploited vulnerabilities within your organization, particularly for government agencies and corporations.

    Show full answer Show less

    Key Features

    • Data Ingestion: Integrates with CISA to map Common Vulnerabilities and Exposures (CVEs) and enrich vulnerability data.
    • Known Ransomware Information: Starting from version 21.0, the integration includes a field indicating whether vulnerabilities are known to be used in ransomware campaigns.
    • Automatic Scheduled Jobs: The integration runs daily to synchronize vulnerability data, simplifying the remediation process.
    • Configuration: Each integration record uses a default run-as user, VR.System, which should not be changed.

    Key Outcomes

    By utilizing the CISA KEV Integration, organizations can effectively prioritize remediation efforts based on real-time data about exploited vulnerabilities. This integration helps maintain an up-to-date vulnerability management system, ensuring a proactive approach to cybersecurity.

    The Vulnerability Response integration with the CISA Known Exploited Vulnerabilities (KEVs) catalog ingests data to help you effectively prioritize and remediate these vulnerabilities.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    CISA enables urgent and prioritized remediation of actively exploited vulnerabilities for government agencies and corporations.

    About CISA

    Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. Cybersecurity & Infrastructure Security Agency that publishes a report on the most exploited vulnerabilities. It easily integrates with Vulnerability Response to map Common Vulnerabilities and Exposures (CVE) vulnerabilities enriching the data in your instance. This information is then rolled up to the Third-Party Vulnerability Entries table. The earliest due date is considered for the roll-up to the vulnerable items.
    Note:
    The CISA Exists check box for CVEs retrieved by CISA.
    Values retrieved from the CISA integration:
    • CVE ID
    • Due date
    • Date added
    • Vendor/Project
    • Product
    • Known ransomware (starting from v21.0 of Vulnerability Response, a new field Known To Be Used in Ransomware Campaigns is ingested from the CISA Known Exploited Vulnerabilities (KEVs) catalog. It’s indicated by the flagging of the Known ransomware field on the National Vulnerability Entry database table. The flag is set at the Common Vulnerabilities and Exposures (CVE) level and rolled up to the third-party entry (TPE).

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Scheduled jobs

    The CISA Integration is invoked automatically as a daily scheduled job. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes

    Vulnerability Response v16.5, v18.0

    Vulnerability Response Integration with CISA v1.0, v1.2

    Viewing the CISA integration

    To view the CISA integration, navigate to Vulnerability Response > Administration > Integrations > CISA Known Exploit Vulnerability Integration.

    The following integrations are included in the base system.
    Note:
    Only the CISA Integration is active, by default.
    Table 1. CISA integration
    Integration Description
    Cybersecurity & Infrastructure Security Agency (CISA) Integration Retrieves CISA vulnerability data (CVE) and enriches the existing vulnerability data. This integration is set automatically to run daily.

    To view data in third-party vulnerabilities, see View Vulnerability Response vulnerability libraries.