U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Known Exploited Vulnerabilities That Remain Unremediated Could Put the IRS Network at Risk

Report Information

Date Issued
Report Number
Report Type
Joint Report
Agency Wide
Yes (agency-wide)
Questioned Costs
Funds for Better Use


Timely remediate all KEVs in accordance with the time frames set forth in the CISA’s KEV Catalog.

In accordance with the directive, immediately isolate or remove from the network all assets with KEVs not remediated by the established due date.

The Chief Information Officer should assess attack signature changes to determine remediation time frames for each, and update data in the asset and vulnerability repository that include signature change dates applicable to KEVs and the remediation time frame allowed for each signature change as assessed.

The Chief Information Officer should finalize standard operating procedures on internal vulnerability management and update the Internal Revenue Manual.