kev-mcp-server

marklechner/kev-mcp-server

3.2

If you are the rightful owner of kev-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

A Model Context Protocol (MCP) server providing access to CISA's Known Exploited Vulnerabilities (KEV) catalog for querying and analyzing actively exploited vulnerabilities.

Tools
6
Resources
0
Prompts
0

CISA KEV MCP Server

A Model Context Protocol (MCP) server that provides access to CISA's Known Exploited Vulnerabilities (KEV) catalog. This server enables AI assistants to query and analyze actively exploited vulnerabilities tracked by the U.S. Cybersecurity and Infrastructure Security Agency.

Features

  • CVE Lookup: Check if a specific CVE is in the KEV catalog with full details
  • Vendor Search: Find all vulnerabilities affecting a specific vendor
  • Product Search: Find all vulnerabilities affecting a specific product
  • Recent Tracking: Monitor newly added vulnerabilities
  • Due Date Management: Track remediation deadlines (overdue, due soon, upcoming)
  • Keyword Search: Find vulnerabilities by description or type (e.g., "remote code execution")

Tools Provided

kev_check_cve

Check if a CVE ID is in the CISA KEV catalog and retrieve detailed information.

Input:

  • cve_id (string) - e.g., "CVE-2024-55591"

Returns: CVE details including vendor, product, description, dates, required action, and ransomware association.

kev_search_by_vendor

Search for all vulnerabilities from a specific vendor.

Input:

  • vendor (string) - e.g., "Microsoft", "Fortinet", "Cisco"

Returns: Up to 50 matching vulnerabilities with key details.

kev_search_by_product

Search for all vulnerabilities affecting a specific product.

Input:

  • product (string) - e.g., "Windows", "Chrome", "FortiOS"

Returns: Up to 50 matching vulnerabilities with key details.

kev_recent_cves

Get recently added CVEs from the KEV catalog.

Input:

  • days (integer, optional) - Number of days to look back (default: 7)

Returns: All CVEs added within the specified timeframe.

kev_search_by_due_date

Find CVEs with upcoming or past due remediation dates for prioritization.

Input:

  • status (string, required) - One of:
    • "overdue" - Past the due date
    • "due_soon" - Due within specified days
    • "upcoming" - All future due dates
  • days (integer, optional) - For "due_soon", days to look ahead (default: 30)

Returns: Matching vulnerabilities sorted by urgency with days until due.

kev_search_by_description

Search vulnerability names and descriptions by keywords.

Input:

  • keywords (string) - e.g., "remote code execution", "SQL injection", "authentication bypass"

Returns: Up to 50 matching vulnerabilities.

Installation

Using Docker (Recommended)

# Build the image
docker build -t kev-mcp-server .

# Run the container
docker run -i kev-mcp-server

Using Docker MCP Gateway

Add to your docker-compose.yml or run directly:

docker run -i kev-mcp-server

Configure in your MCP client (e.g., Claude Desktop) to use the Docker container.

Data Source

The server fetches data from CISA's KEV catalog:

Data is fetched on server startup and contains ~1,100+ actively exploited vulnerabilities that CISA has determined pose significant risk.

Use Cases

Vulnerability Management

  • Check exposure: "Is CVE-2024-55591 in the KEV catalog?"
  • Vendor audit: "Show me all Fortinet vulnerabilities in KEV"
  • Product assessment: "What FortiOS CVEs are being exploited?"

Remediation Planning

  • Priority queue: "Show me overdue KEV vulnerabilities"
  • Upcoming deadlines: "What KEV CVEs are due in the next 30 days?"
  • Threat tracking: "Show me recent authentication bypass vulnerabilities"

Threat Intelligence

  • Ransomware monitoring: Check ransomware associations in CVE details
  • Trend analysis: "Show me CVEs added to KEV in the last 7 days"
  • Attack type research: "Find all remote code execution vulnerabilities in KEV"

Compliance

Federal agencies must remediate KEV vulnerabilities per CISA BOD 22-01. This tool helps track and manage those obligations.

Example Queries

Ask your AI assistant:

"Check if CVE-2024-55591 is in the CISA KEV catalog"

"Show me all Microsoft vulnerabilities in KEV with upcoming due dates"

"What Fortinet CVEs were added to KEV in the last 30 days?"

"Find all remote code execution vulnerabilities in the KEV catalog"

"Which vulnerabilities are overdue for remediation?"

"Search for SQL injection vulnerabilities in KEV"

Security

The Docker container runs as a non-root user (mcp) for enhanced security. The server only reads public data from CISA and does not modify system state or store sensitive information.

License

CC0 1.0 Universal - Public Domain

The KEV data is provided by CISA under CC0 license.

Contributing

Contributions welcome! Please open an issue or PR on GitHub.

Links