CISA KEV MCP Server

This MCP (Model Context Protocol) server provides access to CISA's Catalog of Known Exploited Vulnerabilities (KEV). It allows AI assistants and other clients to query and analyze vulnerability data using the Model Context Protocol.

• Loads and caches the KEV data with daily refresh
• Exposes comprehensive tools to query and search the KEV database
• Provides statistical analysis of vulnerability data
• Implements filtering by multiple criteria
• Follows the Model Context Protocol for standardized AI assistant integration
• Delivers type-safe responses

npm install
npm run build

Start the server:

node build/index.js

The server runs on standard input/output, making it compatible with any MCP client.

The server provides the following tools for interacting with the KEV catalog:

Returns the total number of vulnerabilities in the KEV catalog.

Parameters: None

Example Response:

"436"

Returns the release date of the current KEV catalog.

Parameters: None

Example Response:

"2023-11-15"

Retrieves detailed information about a specific vulnerability by CVE ID.

Parameters:

• cveId (string): The CVE ID to lookup (e.g., "CVE-2021-34527")

Example Response:

{
  "cveID": "CVE-2021-34527",
  "vendorProject": "Microsoft",
  "product": "Windows Print Spooler",
  "vulnerabilityName": "Microsoft Windows Print Spooler Remote Code Execution Vulnerability",
  "dateAdded": "2021-07-02",
  "shortDescription": "Microsoft Windows Print Spooler contains a remote code execution vulnerability...",
  "requiredAction": "Apply updates per vendor instructions.",
  "dueDate": "2021-07-16",
  "knownRansomwareCampaignUse": "Known",
  "notes": "This vulnerability has been exploited in the wild as part of ransomware attacks.",
  "cwes": ["CWE-269"]
}

Returns a list of all unique vendors in the KEV catalog.

Parameters: None

Example Response:

["Adobe", "Apache", "Apple", "Atlassian", ...]

Returns a list of all unique products in the KEV catalog.

Parameters: None

Example Response:

["Access", "Acrobat Reader", "ActiveMQ", "Adaptive Security Appliance", ...]

Returns a list of all CVE IDs in the KEV catalog.

Parameters: None

Example Response:

["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", ...]

Returns vulnerabilities added to the KEV catalog within a specified time period.

Parameters:

• days (number, optional): Number of days to look back (default: 30)

Example Response:

{
  "count": 15,
  "vulnerabilities": [
    {
      "cveID": "CVE-2023-12345",
      "vendorProject": "Example Vendor",
      ...
    },
    ...
  ]
}

Identifies vulnerabilities with upcoming remediation due dates.

Parameters:

• days (number, optional): Number of days to look ahead (default: 30)

Example Response:

{
  "count": 8,
  "vulnerabilities": [
    {
      "cveID": "CVE-2023-67890",
      "vendorProject": "Example Vendor",
      "dueDate": "2023-12-15",
      ...
    },
    ...
  ]
}

Comprehensive search tool with multiple filtering options.

Parameters:

• searchText (string, optional): Text to search in vulnerability names, descriptions, and notes
• ransomwareUse (array of strings, optional): Filter by ransomware usage ("Known" or "Unknown")
• cwes (array of strings, optional): Filter by CWE identifiers
• vendors (array of strings, optional): Filter by vendor/project names
• products (array of strings, optional): Filter by product names
• dateAddedStart (string, optional): Start date for dateAdded range (YYYY-MM-DD)
• dateAddedEnd (string, optional): End date for dateAdded range (YYYY-MM-DD)
• dateAdded (array of strings, optional): Specific dateAdded values to match
• dueDateStart (string, optional): Start date for dueDate range (YYYY-MM-DD)
• dueDateEnd (string, optional): End date for dueDate range (YYYY-MM-DD)
• dueDate (array of strings, optional): Specific dueDate values to match

Example Response:

{
  "count": 5,
  "vulnerabilities": [
    ...
  ]
}

Finds vulnerabilities related to a specific vendor or product.

Parameters:

• vendor (string, optional): Vendor name to find related CVEs
• product (string, optional): Product name to find related CVEs
• limit (number, optional): Maximum number of results to return (default: 20)

Note: At least one of vendor or product must be provided.

Example Response:

{
  "count": 12,
  "totalMatches": 24,
  "vulnerabilities": [
    ...
  ]
}

Locates vulnerabilities associated with a specific Common Weakness Enumeration (CWE).

Parameters:

• cwe (string): CWE identifier to search for (e.g., "CWE-79" or "79")

Example Response:

{
  "count": 17,
  "cwe": "CWE-79",
  "vulnerabilities": [
    ...
  ]
}

Provides statistical analysis of the KEV catalog.

Parameters: None

Example Response:

{
  "totalVulnerabilities": 436,
  "topVendors": [
    {"vendor": "Microsoft", "count": 89},
    {"vendor": "Adobe", "count": 45},
    ...
  ],
  "ransomwareUsage": {
    "Known": 128,
    "Unknown": 308
  },
  "countByYear": {
    "2021": 168,
    "2022": 175,
    "2023": 93
  }
}

Provides statistical analysis of CWEs in the KEV catalog.

Parameters: None

Example Response:

{
  "uniqueCweCount": 42,
  "topCwes": [
    {"cwe": "CWE-79", "count": 48},
    {"cwe": "CWE-787", "count": 37},
    ...
  ]
}

Forces a refresh of the KEV data cache to ensure the latest information is available.

Parameters: None

Example Response:

KEV data successfully refreshed. Current catalog version: 2023.11.15, with 436 vulnerabilities.

├── src/
│   ├── index.ts           # Main server entry point
│   ├── types.ts           # TypeScript interfaces
│   ├── utils.ts           # Utility functions and constants
│   └── tools/             # Individual tools implementation
│       ├── index.ts       # Tool registration
│       ├── getKevCount.ts # Count tool
│       ├── ...
├── build/                 # Compiled JavaScript files
├── package.json
└── README.md

MIT