CISA Makes Unpublicized Ransomware Updates to KEV Catalog

For years, the US Cybersecurity and Infrastructure Security Agency (CISA) has worked to help organizations prioritize and mitigate vulnerabilities more effectively This article explores organizations aware ransomware. . However, one researcher has found a significant flaw in the agency's methodology.

Numerous entries to CISA's Known Exploited Vulnerabilities (KEV) catalog were covertly updated throughout 2025 to reflect ransomware attacks against those CVEs, according to Glenn Thorpe, senior director of security research and detection engineering at GreyNoise.

"Known To Be Used in Ransomware Campaigns?" is a field in the KEV catalog, and the majority of entries initially state "Unknown." Thorpe discovered 59 vulnerabilities that, at some point after being added to the catalog, had their ransomware statuses subtly changed to "Known" in 2025.

Thorpe found it annoying that the status updates for ransomware activity aren't otherwise made public. Related: Agentic AI Becomes the Attack-Surface Poster Child in 2026 "CISA is stating: 'We have evidence that ransomware operators are now using this vulnerability in their campaigns,' when that field changes from 'Unknown' to 'Known.'" He stated in a blog post on Monday, "That's a significant shift in your risk posture."

Thorpe tells Dark Reading, "The length of time some of the existing KEV'd vulnerabilities sat without the 'Known' flag was the only thing that was truly surprising. "I would have anticipated that many of the current vulnerabilities would have been backfilled with the status given that this initiative began in October 2023, but as our graphic shows, some sat for a considerable amount of time.Related: A Fix for the KEV Flips ## China-Backed 'PeckBirdy' Takes Off for Cross-Platform Attacks As Thorpe pointed out, threats change over time, and organizations might not be aware that ransomware actors are exploiting a KEV entry, which makes the silent updates problematic.

He wrote, "Waiting for the ransomware flag is even slower, and relying on KEV for prioritization is already a trailing indicator." Thorpe tells Dark Reading that since 2024, only seven CVEs have been added with the ransomware flag initially, while 88 were flipped later. This is significant because the majority of CVEs are added to the catalog with ransomware status as "Unknown."

"Considering how long it takes to report and address ransomware activity, I don't think this ratio is shocking.

CISA Makes Unpublicized Ransomware Updates to KEV Catalog

CISA Makes Unpublicized Ransomware Updates to KEV Catalog

Trending News

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Top 10 Best VPN For Chrome in 2026

Top 10 Best VPN For Chrome in 2026

Top 10 Best User Access Management Tools in 2026

Top 10 Best User Access Management Tools in 2026