The Cybersecurity and Infrastructure Security Agency (CISA) plays a crucial role in identifying vulnerabilities exploited in ransomware attacks, periodically updating its Known Exploited Vulnerabilities (KEV) catalog. However, the effectiveness of these updates is under scrutiny due to the lack of public announcements when changes occur.
Understanding CISA’s Update Mechanism
Since the latter part of 2023, CISA’s KEV catalog has included a field indicating whether a vulnerability is known to be used in ransomware operations. This information is intended to help cybersecurity defenders prioritize their patching efforts. However, these updates are often quietly made, without any public notification.
In 2025, CISA updated 59 vulnerabilities in its catalog, changing their status from ‘unknown’ to ‘known’ concerning their use in ransomware campaigns. Glenn Thorpe, a senior director at GreyNoise, highlighted that the time taken to update these entries ranged from one day to over 1,300 days.
Focus on Software Vulnerabilities
Among the vulnerabilities updated by CISA, those affecting Microsoft products were the most prevalent, accounting for over a quarter of the total updates. Other affected vendors included Ivanti, Fortinet, Palo Alto Networks, and Zimbra, with each having multiple vulnerabilities listed.
Thorpe noted that the most frequently exploited vulnerabilities involved authentication bypass and remote code execution, underscoring the importance of addressing these issues in cybersecurity strategies.
Implications for Cybersecurity Practices
Thorpe emphasized that these updates significantly impact an organization’s risk assessment. He expressed concern over the lack of alerts or announcements accompanying these updates, which are merely reflected as changes in a JSON file. This silent approach means defenders must actively monitor for changes rather than relying on headline alerts.
According to CISA’s Nick Andersen, the agency’s goal is to assist defenders in risk prioritization by tagging vulnerabilities with ransomware associations. He indicated CISA’s ongoing efforts to refine processes and enhance data through the KEV catalog, the Common Vulnerabilities and Exposures (CVE) Program, and other initiatives.
As CISA strives to make its updates more transparent, Thorpe has developed an RSS feed tool that checks for changes every hour. This tool aims to alert organizations whenever a ransomware tag in CISA’s catalog is updated, thus improving their ability to respond to evolving threats.
The evolving nature of cybersecurity threats and CISA’s role in tracking them highlight the importance of staying vigilant and responsive. As the agency works on enhancing its tools and methodologies, the cybersecurity community’s feedback remains vital to advancing vulnerability management.
