Ethical Hacking News
US Cybersecurity and Infrastructure Security Agency (CISA) silently updated its Known Exploited Vulnerability (KEV) catalog with new information on 59 vulnerabilities without notifying defenders. The update has raised concerns about the agency's approach to safeguarding against ransomware attacks, highlighting the need for increased transparency and communication among all stakeholders involved in cybersecurity.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerability (KEV) catalog with new information on 59 vulnerabilities without notifying defenders. The update marks a significant shift in how CISA informs those responsible for securing federal networks about emerging threats, raising questions about the agency's approach to safeguarding against ransomware attacks. A lack of transparency from CISA has sparked concern among cybersecurity experts and defenders, with some suggesting that defenders may be inadvertently leaving vulnerabilities open to attack. GreyNoise has released an RSS feed providing real-time updates on changes in the KEV catalog's "known ransomware use" indicator, offering defenders a proactive way to stay informed about emerging threats.
In a concerning development that highlights the complexities of cybersecurity, the US Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerability (KEV) catalog with new information on 59 vulnerabilities without notifying defenders. The update marked a significant shift in how CISA informs those responsible for securing federal networks about emerging threats, raising questions about the agency's approach to safeguarding against ransomware attacks.
According to Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, this change in practice could have far-reaching implications. "When that field flips from 'Unknown' to 'Known,' CISA is saying: 'We have evidence that ransomware operators are now using this vulnerability in their campaigns,'" he explained. "That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file." This lack of transparency highlights the need for defenders to stay vigilant and proactive in their efforts to protect against ransomware threats.
The KEV catalog serves as an essential tool for identifying the most serious vulnerabilities at any given time, providing critical information for defenders to prioritize their patching efforts. However, with CISA updating the catalog without notifying defenders about changes in the "known ransomware use" indicator, experts worry that they may be inadvertently leaving some vulnerabilities open to attack.
Thorpe's analysis of the 59 flipped vulnerabilities revealed that a significant portion (16) were Microsoft CVEs, while others came from Ivanti, Fortinet, PANW, and Zimbra. Notably, more than one-third (39 percent) of the bugs confirmed to be used in ransomware campaigns in 2025 were first added to the KEV catalog before 2023. This finding underscores the importance of staying vigilant and proactive in patching vulnerabilities, as some may have been overlooked or undervalued during previous updates.
Furthermore, Thorpe's research identified that authentication bypasses and remote code execution flaws were among the most likely to flip after being added to the KEV catalog. These types of vulnerabilities pose significant risks, particularly for organizations handling sensitive data, as they can be exploited by attackers to gain unauthorized access or execute malicious code without proper authorization.
The lack of transparency from CISA on this issue has sparked concern among cybersecurity experts and defenders. "Maybe CISA should take its own advice about insider threats," Thorpe quipped in a tongue-in-cheek reference to the agency's previous warnings about insider threats. This commentary highlights the need for increased communication and awareness among all stakeholders involved in cybersecurity.
To address this issue, GreyNoise has now released an RSS feed that provides real-time updates on changes in the KEV catalog's "known ransomware use" indicator. This resource offers defenders a proactive way to stay informed about emerging threats and adjust their patching strategies accordingly. While it is unclear whether CISA will adopt similar measures, the development of this feed underscores the growing recognition among cybersecurity professionals that transparency and communication are essential components of effective risk management.
Ultimately, this controversy highlights the complexities and nuances involved in securing against ransomware attacks. As attackers continue to evolve and adapt their tactics, defenders must remain vigilant and proactive in their efforts to protect against emerging threats. By staying informed about vulnerabilities and taking swift action to patch and mitigate risks, defenders can help prevent the devastating consequences of a successful ransomware attack.
Related Information:
https://www.ethicalhackingnews.com/articles/CISAs-Silence-on-Ransomware-Vulnerabilities-A-Threat-to-Cybersecurity-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/
https://www.msn.com/en-us/news/technology/cisa-updated-ransomware-intel-on-59-bugs-last-year-without-telling-defenders/ar-AA1VAMTR
https://www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/
Published: Tue Feb 3 12:45:23 2026 by llama3.2 3B Q4_K_M
