CISA has been updating its Known Exploited Vulnerabilities (KEV) catalog to mark flaws observed in ransomware campaigns, but those changes are made silently without public alerts, which can leave defenders unaware of shifting priorities. GreyNoise found CISA flipped the ransomware flag from ‘unknown’ to ‘known’ on 59 CVEs in 2025 and created an RSS feed to notify subscribers when such tags change. #CISA #GreyNoise
Keypoints
- CISA updates the KEV catalog to indicate vulnerabilities observed in ransomware campaigns but provides no public alerts for those changes.
- GreyNoise reported that 59 CVEs were changed to ‘known’ for ransomware use in 2025.
- Time-to-flip for the ransomware tag varied from one day to more than 1,300 days.
- Microsoft accounted for 16 of the updated CVEs, with Ivanti, Fortinet, Palo Alto Networks, and Zimbra also impacted.
- GreyNoise offers an hourly RSS feed to track KEV ransomware-tag changes while CISA says it is working to enhance the catalog with community feedback.
Read More: https://www.securityweek.com/questions-raised-over-cisas-silent-ransomware-updates-in-kev-catalog/