Article Details

CISA updated ransomware intel on 59 bugs last year without telling defenders. GreyNoise's Glenn Thorpe counts the cost of missed opportunities. On 59 occasions throughout 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) silently tweaked vulnerability notices to reflect their use by ransomware crooks. Experts say that's a problem. "Frustrated" by the agency failing to notify defenders when key pieces of intel change, Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, counted the number of missed opportunities to potentially stop ransomware attacks last year. CISA maintains its Known Exploited Vulnerability (KEV) catalog and populates it on a near-daily basis with details about the vulnerabilities attackers are exploiting to successfully gain access to victims' networks. The purpose of the catalog is to identify the most serious vulnerabilities at any given time, and inform defenders, especially those working for federal agencies, about which bugs should be prioritized. One of the features of the catalog is that it indicates whether or not CISA is aware of a given vulnerability being used by those carrying out ransomware attacks.  Generally seen as the most damaging, infosec pros tend to prioritize the security flaws that could lead to stolen and encrypted files. Previous research has shown that these vulnerabilities are patched 2.5 times faster than those that aren't associated with ransomware attacks. The thing is, the rapid speed at which CISA adds these new bugs to the catalog often outpaces defenders. As Thorpe discovered, the bugs CISA adds to the catalog are only known to be exploited by ransomware affiliates after being added, and CISA does not alert techies when its "known ransomware use" indicator switches from "unknown" to "known." "When that field flips from 'Unknown' to 'Known,' CISA is saying: 'We have evidence that ransomware operators are now using this vulnerability in their campaigns,'" said Thorpe. "That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file." Thorpe's analysis of the 59 flipped vulnerabilities revealed that the largest share (16) were Microsoft CVEs, while the other common vendors included Ivanti, Fortinet, PANW, and Zimbra. "Ransomware operators are economic actors after all. They invest in exploit development for platforms with high deployment and high-value access. Firewalls, VPN concentrators, and email servers fit that profile perfectly." He also found that more than a third (39 percent) of the bugs confirmed to be used in ransomware campaigns in 2025 were first added to the KEV catalog before 2023. The oldest to flip last year was a bug added 1,353 days prior, while the fastest to flip was in just one day. Bear in mind: some vulnerabilities are known to be used by ransomware crews at the time of being added, so their "known ransomware use" indicator was always set to "Known," i.e. they never flipped. Thorpe went on to say that authentication bypasses and remote code execution flaws were the most likely to flip after being added to the KEV catalog. GreyNoise has now released an RSS feed to which defenders can subscribe to see when KEV catalog entries' ransomware statuses change. The feed updates hourly, and is the product of Thorpe's unrealized hopes of change following a 2024 BSidesLV presentation. The Register asked CISA to comment.