The US Cybersecurity and Infrastructure Security Agency (CISA) has sought for years to give organizations a leg up in their efforts to effectively prioritize and mitigate vulnerabilities, but one researcher has identified a major shortcoming in the agency’s approach.
Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, found that dozens of entries to CISA’s Known Exploited Vulnerabilities (KEV) catalog were silently updated throughout 2025 to reflect ransomware attacks against those CVEs. The KEV catalog includes a field that asks “Known To Be Used in Ransomware Campaigns?” with the vast majority of entries initially listing the status as “Unknown.”
Thorpe found 59 vulnerabilities that in 2025 had their ransomware statuses quietly flipped to “Known” at some point after their initial inclusion to the catalog. However, the status changes for ransomware activity aren’t otherwise made public, which Thorpe found frustrating.
“When that field flips from ‘Unknown’ to ‘Known,’ CISA is saying: ‘We have evidence that ransomware operators are now using this vulnerability in their campaigns.’ That’s a material change in your risk posture,” he wrote in a blog post Monday. “Your prioritization calculus should shift. But there’s no alert, no announcement. Just a field change in a JSON file.”
If an organization is deprioritizing KEV catalog vulnerabilities that had not been exploited in ransomware attacks, then it would need to reassess CVEs that had been flipped to “Known,” Thorpe explained. The problem is that unless you were reviewing the catalog every day, you’d have no idea that ransomware actors were actively exploiting a flaw.
Thorpe said this exposes an issue for threat intelligence consumption. “We’re good at reacting to new disclosures. Decent at tracking active exploitation,” he wrote. “But we’re not great at noticing when the characterization of existing threats evolves.”
Inside the KEV Catalog Flips
Thorpe found the “hidden flips” by taking a daily snapshot of the KEV catalog and diffing them for field changes. The 59 vulnerabilities that were flipped to reflect “Known” ransomware activity included a list of vendors that “shouldn’t surprise anyone,” according to Thorpe.
That list includes 16 entries for Microsoft, six for Ivanti, five for Fortinet, three for Palo Alto Networks, and three for Zimbra. According to the blog post, 19 of the CVEs were for network edge devices. “Ransomware operators are building playbooks around your perimeter,” Thorpe warned.
Remote code execution and authentication bypass vulnerabilities were the most common types among the 59 flips, as “ransomware operators prioritize ‘get-in-and-go’ attack chains,” Thorpe noted.
The blog post also included the time in between each CVE’s addition to the KEV catalog and the silent flip to “Known” ransomware activity. In some cases, the time gap was just one day after the CVE was added to the catalog. For example, CVE-2025-61882, a critical flaw in Oracle E-Business Suite, had its ransomware status updated the day after it was added to the catalog on Oct. 6, 2025.
GreyNoise tracked the time between when each CVE was first added to the KEV catalog and when CISA updated its ransomware status. SOURCE: GreyNoise
In other cases, the gap stretched months and even years. The infamous Bluekeep vulnerability in Microsoft’s Remote Desktop Services was initially disclosed in 2019 and added to the KEV catalog in late 2021. However, it wasn’t until the summer of 2025 that CISA confirmed ransomware activity against the flaw and updated its status.
“The only thing that was truly surprising was the length of time some of the existing KEV’d vulnerabilities sat without the ‘Known’ flag,” Thorpe tells Dark Reading. “Given that this initiative started in October 2023, I would have expected many of the existing vulnerabilities to have been backfilled with the status, but as you can see in our graphic, some sat for quite a while.”
A Fix for the KEV Flips
The silent updates are problematic because, as Thorpe noted, threats evolve over time and organizations may be unaware that ransomware actors are taking advantage of a KEV entry. “Relying on KEV for prioritization is already a trailing indicator, and waiting for the ransomware flag is even slower,” he wrote.
It’s also noteworthy because most CVEs are added to the catalog with ransomware status as “Unknown.” Thorpe tells Dark Reading that since 2024, only seven CVEs have been added with the ransomware flag initially, while 88 were flipped at a later date. “I don’t think it’s surprising to see such a ratio, given the time it takes to report and respond to ransomware activity. I’d assume it’s mostly due to getting it on the KEV first, then receiving ransomware evidence later.”
To address the discrepancy, Thorpe created an RSS feed that tracks CISA’s updates to the catalog. “It checks hourly and will notify you whenever a ransomware flag flips. No more silent changes,” he wrote.
Thrope urged organizations to take advantage of the tool and to stay on top of evolving threats in order to get more accurate risk assessments. “CISA is already tracking these ransomware campaigns, correlating TTPs, and updating assessments,” he wrote. “That intelligence only matters if defenders are watching the delta, not just the headlines.”
Dark Reading contacted CISA for comment on GreyNoise’s report but the agency had not responded at press time.
