CISA’s Silent Updates to Ransomware-Linked Vulnerabilities Raise Concerns in 2025
In 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) quietly updated its Known Exploited Vulnerabilities (KEV) catalog 59 times to reflect new evidence of ransomware exploitation without notifying defenders. The oversight, highlighted by Glenn Thorpe, senior director of security research at GreyNoise, underscores a critical gap in how organizations track evolving threats.
CISA’s KEV catalog is designed to flag high-priority vulnerabilities actively exploited by attackers, helping federal agencies and security teams prioritize patches. One key feature is a field indicating whether a flaw is tied to ransomware operations. However, when this status changes from "Unknown" to "Known" signaling confirmed ransomware use CISA does not issue alerts. Instead, the update appears only as a silent modification in a JSON file, leaving defenders unaware of the heightened risk.
Thorpe’s analysis revealed that 16 of the 59 updated vulnerabilities were Microsoft CVEs, with other frequent targets including Ivanti, Fortinet, Palo Alto Networks (PANW), and Zimbra. These vendors’ products often firewalls, VPNs, and email servers are prime targets for ransomware groups due to their widespread deployment and access to high-value networks.
Notably, 39% of the vulnerabilities confirmed for ransomware use in 2025 had been listed in the KEV catalog before 2023. The oldest flaw updated last year had been in the catalog for 1,353 days, while the fastest flip occurred within a single day. Authentication bypasses and remote code execution (RCE) flaws were the most common types to see delayed ransomware confirmation.
In response to the issue, GreyNoise launched an RSS feed that tracks KEV catalog updates, including ransomware status changes, with hourly refreshes. The tool addresses a long-standing frustration among security professionals, who argue that timely notifications could help organizations adjust their patching priorities and mitigate attacks.
CISA has not yet responded to requests for comment.
Source: https://www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/
Palo Alto Networks Unit 42 cybersecurity rating report: https://www.rankiteo.com/company/unit42
Zimbra cybersecurity rating report: https://www.rankiteo.com/company/zimbra
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
Ivanti cybersecurity rating report: https://www.rankiteo.com/company/ivanti
"id": "UNIZIMFORIVA1770144800",
"linkid": "unit42, zimbra, fortinet, ivanti",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United States',
'name': 'U.S. federal agencies',
'size': 'Large',
'type': 'Government'},
{'industry': ['Technology',
'Finance',
'Healthcare',
'Critical Infrastructure'],
'location': 'Global',
'name': 'Organizations using Microsoft, Ivanti, '
'Fortinet, Palo Alto Networks, or Zimbra '
'products',
'size': 'Varies',
'type': 'Private/Public Organizations'}],
'attack_vector': ['Authentication bypass', 'Remote Code Execution (RCE)'],
'date_detected': '2025',
'date_publicly_disclosed': '2025',
'description': 'In 2025, the U.S. Cybersecurity and Infrastructure Security '
'Agency (CISA) quietly updated its Known Exploited '
'Vulnerabilities (KEV) catalog 59 times to reflect new '
'evidence of ransomware exploitation without notifying '
'defenders. The oversight highlights a critical gap in how '
'organizations track evolving threats, as updates to '
'ransomware-linked vulnerabilities were only reflected in a '
'JSON file without alerts.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in CISA’s '
'KEV catalog as a reliable threat '
'intelligence source',
'operational_impact': 'Delayed patching priorities leading to '
'increased risk of ransomware attacks',
'systems_affected': ['Firewalls', 'VPNs', 'Email servers']},
'initial_access_broker': {'high_value_targets': ['Firewalls',
'VPNs',
'Email servers']},
'investigation_status': 'Ongoing (CISA has not responded to requests for '
'comment)',
'lessons_learned': 'Timely notifications of ransomware-linked vulnerability '
'updates are critical for organizations to prioritize '
'patching and mitigate risks. Silent updates in threat '
'intelligence feeds can lead to gaps in defense.',
'motivation': 'Financial gain (ransomware operations)',
'post_incident_analysis': {'corrective_actions': 'Implement real-time '
'alerting for KEV updates; '
'improve transparency in '
'threat intelligence feeds.',
'root_causes': 'Lack of alerting mechanism for '
'ransomware status changes in '
'CISA’s KEV catalog; delayed '
'confirmation of ransomware '
'exploitation for vulnerabilities.'},
'recommendations': ['CISA should implement alerting mechanisms for changes to '
'ransomware status in the KEV catalog.',
'Organizations should monitor third-party tools (e.g., '
'GreyNoise RSS feed) for real-time KEV updates.',
'Prioritize patching for vulnerabilities tied to '
'ransomware, especially in firewalls, VPNs, and email '
'servers.'],
'references': [{'date_accessed': '2025', 'source': 'GreyNoise (Glenn Thorpe)'},
{'date_accessed': '2025',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'}],
'response': {'communication_strategy': 'GreyNoise RSS feed for hourly KEV '
'updates; CISA did not issue alerts',
'remediation_measures': 'Organizations advised to monitor KEV '
'updates and adjust patching priorities',
'third_party_assistance': 'GreyNoise (launched RSS feed to track '
'KEV updates)'},
'stakeholder_advisories': 'Organizations urged to monitor KEV updates and '
'adjust patching strategies accordingly.',
'title': 'CISA’s Silent Updates to Ransomware-Linked Vulnerabilities Raise '
'Concerns in 2025',
'type': 'Ransomware',
'vulnerability_exploited': [{'age_in_kev_catalog': 'Varies (oldest: 1,353 '
'days, fastest: 1 day)',
'cves': ['Multiple CVEs (unspecified)'],
'vendor': 'Microsoft'},
{'cves': ['Multiple CVEs (unspecified)'],
'vendor': 'Ivanti'},
{'cves': ['Multiple CVEs (unspecified)'],
'vendor': 'Fortinet'},
{'cves': ['Multiple CVEs (unspecified)'],
'vendor': 'Palo Alto Networks (PANW)'},
{'cves': ['Multiple CVEs (unspecified)'],
'vendor': 'Zimbra'}]}