Full Report
GreyNoise's Glenn Thorpe counts the cost of missed opportunities On 59 occasions throughout 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) silently tweaked vulnerability notices to reflect their use by ransomware crooks. Experts say that's a problem.…
Analysis Summary
This is a summary based on the provided context, which describes a systemic issue with the CISA Known Exploited Vulnerabilities (KEV) catalog updates rather than detailing specific CVEs. Therefore, specific technical details like CVE IDs, severity scores, and exact vulnerability type descriptions (RCE vs. Auth Bypass) are noted as *General* based on the analyst's findings regarding the affected entries.
# Vulnerability: Unreported Ransomware Use Flag Changes in CISA KEV Catalog
## CVE Details
- CVE ID: [Not specified individually; applies to 59 CVEs in 2025]
- CVSS Score: [Not specified individually; general severity implied by KEV inclusion]
- CWE: [General categories mentioned: Authentication Bypass and Remote Code Execution (RCE) likely prominent]
## Affected Systems
- Products: Microsoft, Ivanti, Fortinet, PANW, Zimbra (and potentially others across 59 distinct vulnerabilities).
- Versions: [Not specified individually]
- Configurations: [Not specified individually]
## Vulnerability Description
The core issue is that CISA silently modified the "known ransomware use" indicator for 59 vulnerabilities throughout 2025, switching the status from "Unknown" to "Known" without issuing an alert or formal notification to defenders. This change signifies that CISA has evidence of active exploitation by ransomware affiliates, representing a material shift in risk posture that defenders are currently missing until manual inspection of the KEV JSON file occurs. The changes affect older, previously cataloged vulnerabilities (some over 1,353 days old) as well as newly added ones.
## Exploitation
- Status: Confirmed Exploited in the Wild (by Ransomware Affiliates) as of the time the flag was flipped in 2025.
- Complexity: [General exploitation noted for Auth Bypass/RCE]
- Attack Vector: Implied vectors cover perimeter devices popular with ransomware (Firewalls, VPN concentrators, email servers).
## Impact
- Confidentiality: [Assumed High, typical for ransomware activity]
- Integrity: [Assumed High, due to encryption/data manipulation]
- Availability: [Assumed High, due to systemic network disruption]
## Remediation
### Patches
- [Specific patches not detailed, refer to individual CISA KEV advisories for the 59 associated CVEs.]
### Workarounds
- [No specific workarounds detailed in the context.]
## Detection
- **Indicators of Compromise (IOCs):** Specific IOCs tied to the 59 CVEs require consulting the individual KEV entries updated throughout 2025.
- **Detection Methods and Tools:** GreyNoise has released an RSS feed (`https://kev.labs.greynoise.io/kev-ransom-feed.rss?_ga=2.221492376.1635795599.1770107185-988112976.1769071307`) designed to provide hourly updates specifically when the ransomware status field flips from 'Unknown' to 'Known' in the KEV catalog. Defenders should subscribe to this feed.
## References
- Vendor Advisories: Individual advisories pertaining to the 59 affected CVEs.
- Relevant links:
- GreyNoise Ransomware Status Feed (subscribeable): `https://kev.labs.greynoise.io/kev-ransom-feed.rss?_ga=2.221492376.1635795599.1770107185-988112976.1769071307`
- Previous GreyNoise analysis: `https://www.greynoise.io/blog/unveiling-vulnerability-insights-from-the-cisa-kev-catalog-at-bsideslv`