Concerns Raised Over CISA’s Silent Ransomware Updates in KEV Catalog

The cybersecurity agency CISA regularly updates its Known Exploited Vulnerabilities (KEV) catalog when it learns of a flaw being leveraged in ransomware attacks, but the practical utility of these updates for defenders has been questioned because they are made without public notification.

Since late 2023, each entry in CISA’s KEV catalog has indicated whether the vulnerability has been observed in ransomware campaigns, helping defenders prioritize patches.

According to Glenn Thorpe, senior director of security research and engineering at threat intelligence firm GreyNoise, CISA updated the entries for 59 vulnerabilities in 2025 to flip the ‘known to be used in ransomware campaigns’ data field from ‘unknown’ to ‘known’.

The fastest flip came after one day and the longest time-to-flip was more than 1,300 days.

Vulnerabilities in Microsoft products account for more than a quarter of the updated CISA KEV entries (16 CVEs), followed by Ivanti (6 CVEs), Fortinet (5 ...