CISA has been silently updating its Known Exploited Vulnerabilities (KEV) catalog by switching vulnerabilities from “unknown” to “known” when evidence shows ransomware groups exploit them, without issuing public advisories. Researcher Glenn Thorpe found 59 such flips in 2025—many affecting Microsoft and edge/network appliances—and warned defenders need clearer alerts and prioritization; #CISA #Microsoft
Keypoints
- CISA changed 59 CVEs in 2025 from “unknown” to “known” exploitation by ransomware groups without issuing alerts.
- Glenn Thorpe of GreyNoise tracked daily KEV snapshots and created an hourly RSS feed to monitor flipped vulnerabilities.
- Twenty-seven percent of the flipped CVEs involved Microsoft products, while 34% affected edge and network devices and 39% were pre-2023 flaws.
- Ransomware actors targeted network security appliances—including Fortinet, Ivanti, Palo Alto, and Check Point—with 19 of 59 flips hitting such devices.
- Authentication bypass and remote code execution were common flaw types, with flips occurring as quickly as one day and as long as 1,353 days after KEV addition.
Read More: https://thecyberexpress.com/vulnerabilities-exploited-by-ransomware-groups/