## https://sploitus.com/exploit?id=37C50661-A878-507B-9377-0F99874BB5CE
# KEV Investigator
An automated investigation draft generator for CISA's Known Exploited Vulnerabilities (KEV) catalog โ built to remove the repetitive manual research that goes into triaging every new KEV entry.
Includes both a CLI and a desktop GUI.
---
## Problem
Every new CISA KEV entry typically requires the same investigation workflow:
- Pull the vulnerability description and CVSS score (NVD)
- Check whether a public proof-of-concept exploit exists (GitHub)
- Determine whether a patch or workaround is available
- Check internal asset exposure
- Write it all up as a structured report
Doing this by hand for every entry takes 15โ20 minutes per CVE. This tool reduces that to under 2 minutes, end-to-end.
---
## What It Does
1. **Fetches new KEV entries** โ using a manually-set cutoff date, so it only processes entries added after a point you choose (avoids reprocessing or missing entries)
2. **Enriches via NVD API** โ pulls CVSS score, severity, full description, and affected product/version data
3. **Searches GitHub for public PoCs** โ dual search strategy (repository search + code search) to catch PoCs that don't have the CVE ID in their repo name
4. **Generates a patch/workaround recommendation via Gemini** โ prioritized output: confirmed patch version โ workaround โ general preventive guidance, depending on what's known
5. **Prompts for affected asset count** โ via terminal input (CLI) or popup dialog (GUI), per CVE
6. **Outputs a complete investigation report** as a clean `.md` file
---
## Sample Output
```markdown
## Summary
Fortinet FortiOS SSL-VPN Heap Buffer Overflow Vulnerability
## Impact
Remote Code Execution (RCE)
## Initial Analysis
1. Description: A heap-based buffer overflow in Fortinet FortiOS...
2. CVSS Score: 9.8 (CRITICAL)
3. Affected Assets: 3 assets identified
4. Actively exploited in the wild. Public PoC Available: github.com/...
## Actions to Be Taken
1. Fortinet recommends updating FortiOS to version 7.0.10 or later...
2. Remediation ticket raised โ 3 assets identified.
## References
1. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
2. https://nvd.nist.gov/vuln/detail/CVE-2024-XXXXX
```
---
## Setup
```bash
git clone https://github.com/yourusername/kev-investigator
cd kev-investigator
python -m venv venv
venv\Scripts\activate # Windows
# source venv/bin/activate # macOS/Linux
pip install -r requirements.txt
cp .env.example .env # Then fill in your own keys โ see below
```
### Required API Keys (all free tier)
| Key | Where to get it |
|---|---|
| `NVD_API_KEY` | https://nvd.nist.gov/developers/request-an-api-key |
| `GITHUB_TOKEN` | https://github.com/settings/tokens (classic, `public_repo` scope) |
| `GEMINI_API_KEY` | https://aistudio.google.com/app/apikey |
**Never commit your real `.env` file.** Only `.env.example` (with placeholder values) should be tracked in git โ see [Security Notes](#security-notes) below.
---
## Usage
### CLI
```bash
# Set a cutoff date first (see main.py or run interactively)
python main.py # Auto mode โ process entries added after cutoff
python main.py --cve CVE-2024-12345 # Force-process a specific CVE
```
### GUI
```bash
python gui_app.py
```
The GUI provides:
- A calendar-based cutoff date picker (no manual date typing โ avoids format errors)
- A mode toggle between "check new KEVs" and "specific CVE"
- A live log panel mirroring all pipeline output
- A popup per CVE for asset count entry
- A button to open the generated reports folder directly
To package the GUI as a standalone Windows executable:
```bash
pip install pyinstaller
pyinstaller --onefile --windowed --name "KEV-Investigator" gui_app.py
```
Place your `.env` file next to the resulting `.exe` โ it is not bundled into the binary.
---
## Architecture
```
CISA KEV API
โ
โผ
Date-Cutoff Filter โโโบ NVD API (CVSS, description, affected products)
โ โ
โ โผ
โ GitHub PoC Search (repo search + code search)
โ โ
โ โผ
โ Gemini Patch Advisor (patch โ workaround โ general guidance)
โ โ
โผ โผ
Analyst Asset Input (CLI prompt / GUI popup)
โ
โผ
Report Generator โ .md investigation file
```
---
## Project Structure
```
kev-investigator/
โโโ main.py # CLI entry point
โโโ gui_app.py # Tkinter GUI wrapper (same pipeline, no logic duplication)
โโโ config.py # Loads API keys from .env
โโโ requirements.txt
โโโ .env.example # Template โ copy to .env and fill in your own keys
โ
โโโ modules/
โ โโโ kev_fetcher.py # CISA KEV fetch + date-cutoff filtering
โ โโโ nvd_fetcher.py # NVD enrichment with retry/backoff on 503s
โ โโโ poc_checker.py # GitHub repo + code search for public PoCs
โ โโโ patch_advisor.py # Gemini-based patch/workaround recommendation
โ โโโ report_generator.py # Assembles final Markdown investigation report
โ
โโโ data/ # Local state (cutoff date) โ gitignored
โโโ output/investigations/ # Generated reports โ gitignored
```
---
## Security Notes
This repo is structured so that no credentials are ever committed:
- `.env` is listed in `.gitignore` and is never tracked
- Only `.env.example`, containing placeholder values, is committed
- All API keys are loaded at runtime via `python-dotenv` and read from `config.py`
- If you fork or clone this project, you must supply your own keys โ none are embedded anywhere in the code
If you ever accidentally commit a real key, **revoke and regenerate it immediately** โ removing it from a later commit does not remove it from git history.
---
## Roadmap
- [ ] Rapid7 IVM API integration for automated asset lookup (currently manual entry)
- [ ] Webhook integration for auto-posting new KEVs to a team chat channel
- [ ] Bulk weekly summary report across all processed CVEs
- [ ] Optional local caching layer to reduce repeat NVD/Gemini calls during reprocessing
---
## License
MIT โ use it, fork it, adapt it for your own SOC workflow.