Summary Points
-
CISA’s Vulnerability Updates Lacking Transparency: Researcher Glenn Thorpe highlights that CISA has silently updated the Known Exploited Vulnerabilities (KEV) catalog to indicate many vulnerabilities being exploited in ransomware attacks without public announcements.
-
Critical Changes in Risk Posture Ignored: The shift from “Unknown” to “Known” ransomware status for 59 vulnerabilities poses significant risk changes that organizations may overlook unless they regularly monitor the catalog.
-
Ineffective Threat Intelligence Handling: Organizations excel at responding to new threats but struggle to notice when existing threats evolve, risking inadequate prioritization of vulnerabilities.
-
Proactive Solutions Implemented: Thorpe created an RSS feed to track CISA’s catalog updates, aiming to notify organizations of ransomware status changes and improve their risk assessment practices.
CISA’s Quiet Ransomware Updates Raise Concerns
The US Cybersecurity and Infrastructure Security Agency (CISA) continues to enhance its Known Exploited Vulnerabilities (KEV) catalog. Recently, however, a researcher highlighted a significant issue. Glenn Thorpe, senior director at GreyNoise, discovered that CISA has quietly updated many entries to reflect their connection to ransomware attacks. Specifically, he found 59 vulnerabilities that changed status to “Known” in 2025. Notably, these status changes remain unpublicized, leaving organizations unaware of evolving threats.
If companies overlook these updates, they risk misprioritizing vulnerabilities. Thorpe explained that when a vulnerability switches from “Unknown” to “Known,” it signals a heightened risk level. Yet, most organizations do not review the KEV catalog daily. Therefore, they might unknowingly leave themselves exposed to active threats. This situation calls for improved threat intelligence practices, as many rely on immediate disclosure of new vulnerabilities rather than ongoing surveillance of existing ones.
Addressing the Information Gap
Thorpe’s investigation revealed that the vulnerabilities commonly involved network edge devices from well-known vendors. Ransomware operators increasingly exploit these types of flaws, which leads to severe risks. Additionally, Thorpe noted that time gaps between a vulnerability’s addition to the catalog and its updated ransomware status often differ dramatically. Some vulnerabilities received updates within a day, while others took years.
To help organizations stay informed, Thorpe created an RSS feed that tracks these updates hourly. This tool aims to eliminate the silence surrounding critical changes in vulnerability status. Thorpe encourages all organizations to utilize this resource for more accurate risk assessments. By keeping an eye on the evolving landscape of threats, organizations can better defend against ransomware and enhance their overall cybersecurity posture.
Continue Your Tech Journey
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Explore past and present digital transformations on the Internet Archive.
CyberRisk-V1
