What's Happening?
The Cybersecurity and Infrastructure Security Agency (CISA) has been updating its Known Exploited Vulnerabilities (KEV) catalog to include information on vulnerabilities exploited in ransomware attacks. However, these updates are made without public notification,
raising concerns about their practical utility for cybersecurity defenders. Since late 2023, CISA has been marking vulnerabilities in its KEV catalog as being used in ransomware campaigns, which is intended to help organizations prioritize their patching efforts. Glenn Thorpe, a senior director at GreyNoise, highlighted that in 2025, CISA updated 59 vulnerabilities to indicate their use in ransomware campaigns, with the time taken to update ranging from one day to over 1,300 days. The vulnerabilities primarily involve Microsoft products, followed by Ivanti, Fortinet, Palo Alto Networks, and Zimbra. Thorpe criticized the lack of alerts or announcements accompanying these updates, which are only reflected as field changes in a JSON file.
Why It's Important?
The silent updates to CISA's KEV catalog have significant implications for cybersecurity risk management. Without public notifications, organizations may not be aware of changes that could affect their risk posture, potentially leaving them vulnerable to ransomware attacks. The lack of transparency in these updates could hinder the ability of cybersecurity teams to effectively prioritize and address vulnerabilities. This situation underscores the need for improved communication and transparency from CISA to ensure that organizations can adequately protect themselves against evolving threats. The updates are crucial for maintaining cybersecurity resilience, especially as ransomware attacks continue to pose a significant threat to businesses and government agencies.
What's Next?
CISA is expected to continue refining its processes to enhance the KEV catalog and improve vulnerability prioritization. Feedback from the cybersecurity community is likely to play a critical role in shaping these improvements. In the meantime, GreyNoise's Thorpe has developed an RSS feed tool that alerts organizations to changes in the ransomware tag within CISA's catalog, providing a temporary solution for those seeking more immediate notifications. As CISA works to streamline its processes, it may consider implementing more transparent update mechanisms to better serve the cybersecurity community.
