CISA Known Exploit Vulnerability (KEV) Integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CISA Known Exploit Vulnerability (KEV) Integration

    The CISA Known Exploit Vulnerability (KEV) Integration connects ServiceNow Vulnerability Response with the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) KEV catalog. This integration helps you prioritize and remediate actively exploited vulnerabilities by ingesting critical vulnerability data directly into your ServiceNow instance. It supports government agencies and corporations in responding urgently to the highest risk vulnerabilities.

    Show full answer Show less

    Key Features

    • Data Ingestion: Automatically imports Common Vulnerabilities and Exposures (CVE) data from CISA, enriching your existing vulnerability records.
    • Third-Party Vulnerability Mapping: The imported CVEs roll up into the Third-Party Vulnerability Entries table, consolidating vulnerability information for easier management.
    • Known Ransomware Flag: Starting with Vulnerability Response version 21.0, vulnerabilities known to be used in ransomware campaigns are flagged to enhance prioritization.
    • Scheduled Synchronization: The integration runs as a daily scheduled job that keeps your vulnerability data synchronized with CISA’s latest updates. Manual execution of scheduled jobs is also supported for on-demand updates.
    • Preconfigured Run-As User: The integration uses a default system user (VR.System) to maintain security and consistent operation. It is recommended not to change this user.
    • View and Manage Integration: The integration can be accessed in ServiceNow via Vulnerability Response > Administration > Integrations > CISA Known Exploit Vulnerability Integration.

    Key Outcomes

    • Improved prioritization of vulnerabilities based on real-world exploitation data from CISA, enabling more focused remediation efforts.
    • Enhanced vulnerability records with due dates and flags for ransomware involvement, supporting risk-based decision-making.
    • Automated daily updates minimize manual tracking, ensuring your vulnerability data is current and aligned with CISA advisories.
    • Seamless integration within the ServiceNow Vulnerability Response framework simplifies vulnerability lifecycle management.

    The Vulnerability Response integration with the CISA Known Exploited Vulnerabilities (KEVs) catalog ingests data to help you effectively prioritize and remediate these vulnerabilities.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    CISA enables urgent and prioritized remediation of actively exploited vulnerabilities for government agencies and corporations.

    About CISA

    Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. Cybersecurity & Infrastructure Security Agency that publishes a report on the most exploited vulnerabilities. It easily integrates with Vulnerability Response to map Common Vulnerabilities and Exposures (CVE) vulnerabilities enriching the data in your instance. This information is then rolled up to the Third-Party Vulnerability Entries table. The earliest due date is considered for the roll-up to the vulnerable items.
    Note:
    The CISA Exists check box for CVEs retrieved by CISA.
    Values retrieved from the CISA integration:
    • CVE ID
    • Due date
    • Date added
    • Vendor/Project
    • Product
    • Known ransomware (starting from v21.0 of Vulnerability Response, a new field Known To Be Used in Ransomware Campaigns is ingested from the CISA Known Exploited Vulnerabilities (KEVs) catalog. It’s indicated by the flagging of the Known ransomware field on the National Vulnerability Entry database table. The flag is set at the Common Vulnerabilities and Exposures (CVE) level and rolled up to the third-party entry (TPE).

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Scheduled jobs

    The CISA Integration is invoked automatically as a daily scheduled job. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes

    Vulnerability Response v16.5, v18.0

    Vulnerability Response Integration with CISA v1.0, v1.2

    Viewing the CISA integration

    To view the CISA integration, navigate to Vulnerability Response > Administration > Integrations > CISA Known Exploit Vulnerability Integration.

    The following integrations are included in the base system.
    Note:
    Only the CISA Integration is active, by default.
    Table 1. CISA integration
    Integration Description
    Cybersecurity & Infrastructure Security Agency (CISA) Integration Retrieves CISA vulnerability data (CVE) and enriches the existing vulnerability data. This integration is set automatically to run daily.

    To view data in third-party vulnerabilities, see View Vulnerability Response vulnerability libraries.