CISA updated ransomware flags on 59 vulnerabilities last year without notifying defenders, potentially missing critical opportunities to prevent attacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) quietly updated its Known Exploited Vulnerability (KEV) catalog 59 times in 2025 to reflect that certain vulnerabilities were being used in ransomware campaigns, without alerting defenders to these critical changes.
The Problem with Silent Updates
Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, discovered that CISA was making these updates silently. When a vulnerability's "known ransomware use" indicator changes from "Unknown" to "Known," it represents a significant shift in risk posture that defenders need to know about immediately.
"When that field flips from 'Unknown' to 'Known,' CISA is saying: 'We have evidence that ransomware operators are now using this vulnerability in their campaigns,'" Thorpe explained. "That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file."
The Scale of Missed Opportunities
Thorpe's analysis revealed that 59 vulnerabilities had their ransomware status updated throughout 2025. The distribution showed:
- 16 Microsoft CVEs - the largest share
- Ivanti, Fortinet, PANW, and Zimbra - other common vendors affected
- 39% of flipped vulnerabilities were added to KEV before 2023
- Oldest flip: 1,353 days after initial catalog entry
- Fastest flip: just 1 day after being added
Why These Vulnerabilities Matter
Ransomware operators target specific platforms that offer high deployment rates and valuable access. As Thorpe noted, "Firewalls, VPN concentrators, and email servers fit that profile perfectly."
The analysis also found that authentication bypasses and remote code execution flaws were most likely to flip to "known ransomware use" status after being added to the catalog.
The Impact on Defense Strategies
This lack of notification creates several problems for defenders:
- Delayed Response: Organizations can't quickly prioritize patching for newly weaponized vulnerabilities
- Inefficient Resource Allocation: Security teams may focus on less critical vulnerabilities while ransomware-ready flaws go unpatched
- Increased Risk: The longer it takes to patch known ransomware vulnerabilities, the greater the chance of successful attacks
Previous research has shown that vulnerabilities associated with ransomware attacks are patched 2.5 times faster than those without such associations, highlighting the importance of this intelligence.
GreyNoise's Solution
In response to this gap in communication, GreyNoise has released an RSS feed that updates hourly to notify defenders when KEV catalog entries' ransomware statuses change. This provides a workaround for the lack of official alerts from CISA.
Broader Context
The issue reflects a larger challenge in cybersecurity: the rapid pace at which threat intelligence evolves often outpaces the mechanisms for sharing that intelligence. While CISA adds new vulnerabilities to the KEV catalog nearly daily, the process for updating and communicating changes to existing entries appears less robust.
This situation is particularly concerning given the increasing sophistication and frequency of ransomware attacks targeting critical infrastructure and government agencies - the very entities CISA is meant to protect.
The Register has reached out to CISA for comment on these findings and the agency's notification practices.
For more cybersecurity news and analysis, visit The Register's security section.
Keywords: CISA, ransomware, vulnerabilities, KEV catalog, GreyNoise, cybersecurity, threat intelligence, patch management, authentication bypass, remote code execution
Comments
Please log in or register to join the discussion