CISA added a ransomware indicator to 59 vulnerabilities in its Known Exploited Vulnerability catalog throughout 2025 without alerting anyone, according to research from GreyNoise.
Glenn Thorpe, senior director of security research at GreyNoise, tracked every time CISA changed a bug's status from "unknown" ransomware use to "known" ransomware use. The problem: defenders relying on CISA's catalog had no way to know about these updates unless they manually checked the JSON file daily.
"When that field flips from 'Unknown' to 'Known,' CISA is saying: 'We have evidence that ransomware operators are now using this vulnerability in their campaigns,'" Thorpe said. "That's a material change in your risk posture. But there's no alert, no announcement."
The lag matters because ransomware-linked vulnerabilities get patched 2.5 times faster than others. Security teams use the ransomware indicator to prioritize limited patching resources.
Microsoft accounted for 16 of the 59 updated bugs. Ivanti, Fortinet, Palo Alto Networks, and Zimbra made up most of the rest, reflecting ransomware operators' focus on firewalls, VPN concentrators, and email servers with broad deployment.
More than a third of the bugs marked as ransomware-linked in 2025 were first added to the KEV catalog before 2023. The oldest sat for 1,353 days before CISA confirmed ransomware use. The fastest flip took one day.
Authentication bypasses and remote code execution flaws were most likely to be updated with ransomware indicators after initial listing.
GreyNoise released an RSS feed to track these changes automatically. The real question is whether CISA will build native notification into the KEV catalog itself, or if enterprise security teams will need to keep engineering workarounds for a government intelligence feed that updates silently.
This is significant because federal agencies must patch KEV-listed vulnerabilities within days under binding operational directives. Private sector CISOs often follow the same prioritization. When the risk profile changes but no one knows, patching schedules don't adjust accordingly.