"Thorpe described the KEV updates as representing a material change to an organization's risk posture. "Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file," the expert said. "We're good at reacting to new disclosures. Decent at tracking active exploitation. But we're not great at noticing when the characterization of existing threats evolves," Thorpe noted."
"Since late 2023, each entry in CISA's KEV catalog has indicated whether the vulnerability has been observed in ransomware campaigns, helping defenders prioritize patches. According to Glenn Thorpe, senior director of security research and engineering at threat intelligence firm GreyNoise, CISA updated the entries for 59 vulnerabilities in 2025 to flip the 'known to be used in ransomware campaigns' data field from 'unknown' to 'known'."
CISA's Known Exploited Vulnerabilities (KEV) catalog marks vulnerabilities observed in ransomware campaigns to help defenders prioritize patches. Since late 2023, each KEV entry indicates ransomware observation. GreyNoise reported CISA flipped the ransomware-observed field from 'unknown' to 'known' for 59 vulnerabilities in 2025, with time-to-flip ranging from one day to over 1,300 days. Microsoft vulnerabilities represented more than a quarter of the updates, followed by Ivanti, Fortinet, Palo Alto Networks, and Zimbra. The most commonly reported exploitation types were authentication bypass and remote code execution. The updates can materially change organizational risk posture but are applied without public alerts.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]