59 KEV Entries Quietly Flagged for Ransomware Use in 2025

CISA quietly updated the ransomware status of 59 vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog throughout 2025—without issuing public alerts or notifications. Security teams tracking the catalog for patch prioritization may have missed these critical updates, leaving systems exposed to ransomware operators who had already weaponized the flaws.

GreyNoise published the research on February 2, revealing that the KEV's knownRansomwareCampaignUse field silently flipped from "Unknown" to "Known" on dozens of entries. The changes happened over months, with 41% concentrated in a single May spike. Organizations relying on KEV additions alone missed the signal that existing vulnerabilities had graduated to ransomware-grade threats.

The Silent Update Problem

The KEV catalog serves as CISA's authoritative list of vulnerabilities confirmed under active exploitation. Security teams use it to prioritize patching, and BOD 22-01 mandates federal agencies remediate cataloged vulnerabilities within specific timeframes. But the ransomware flag—arguably the most urgent indicator—updates without any accompanying alert.

When a vulnerability shifts to "Known" ransomware use, the risk profile changes dramatically. Ransomware operators have industrialized their exploitation chains. A vulnerability flagged for ransomware use isn't a theoretical risk; it's actively being deployed against organizations for extortion.

GreyNoise found that some vulnerabilities waited over 1,353 days between KEV entry and ransomware designation. Others flipped within a single day. The inconsistency means organizations can't assume a "clean" ransomware status will remain stable.

Vendor Breakdown

Microsoft led the silent updates with 16 CVEs—27% of all ransomware flag changes. The concentration makes sense given Windows' dominance in enterprise environments and ransomware operators' corresponding focus on Microsoft attack surfaces. The January 2026 Patch Tuesday updates included several flaws that could follow this pattern—reaching KEV first, then quietly gaining ransomware designation months later.

Other heavily represented vendors:

• Ivanti: 6 CVEs
• Fortinet: 5 CVEs
• Palo Alto Networks: 3 CVEs
• Zimbra: 3 CVEs

The Fortinet and Palo Alto numbers are particularly concerning. Network perimeter devices provide initial access for ransomware operations, and both vendors have faced ongoing vulnerability disclosures throughout the past year.

Vulnerability Characteristics

GreyNoise's analysis revealed patterns in which vulnerabilities attract ransomware attention:

• 34% targeted edge and network devices—firewalls, VPN concentrators, and remote access gateways
• 39% were legacy vulnerabilities (pre-2023)—patching debt continues to create opportunities
• 14% were authentication bypass flaws—the most common vulnerability type

Authentication bypass is the perfect ransomware prerequisite. Skip the login, deploy the payload. The preference for edge devices reflects ransomware groups' operational patterns: compromise perimeter systems first, then move laterally toward data worth encrypting.

January 2026 Updates

The most recent batch of ransomware designations, from January 28, 2026, included:

• CVE-2024-49039: Windows Task Scheduler privilege escalation
• CVE-2024-51567: CyberPanel default permissions issue
• CVE-2024-9680: Mozilla Firefox use-after-free

These updates happened without announcement. Organizations that patched based on the original KEV addition but didn't revisit prioritization missed the signal that ransomware operators now use these flaws routinely.

The GreyNoise Solution

GreyNoise released an RSS feed that monitors the KEV catalog hourly and alerts subscribers when ransomware flags change:

https://kev.labs.greynoise.io/kev-ransom-feed.rss

The feed addresses the transparency gap by providing near-real-time notification when CISA updates ransomware status. Security teams can subscribe through standard RSS readers or integrate the feed into SIEM platforms and ticketing systems.

Recommendations

The silent update pattern creates a monitoring burden that most organizations haven't addressed. Steps to close the gap:

1. Subscribe to the GreyNoise RSS feed for hourly ransomware flag updates
2. Audit current KEV coverage against the knownRansomwareCampaignUse field—don't assume past assessments remain valid
3. Prioritize edge device patching—one-third of ransomware-flagged vulnerabilities target network perimeter systems
4. Revisit legacy vulnerabilities—the 39% legacy figure means 2023 and older CVEs are still being weaponized

CISA's catalog remains the gold standard for exploitation intelligence, but its notification practices haven't kept pace with how security teams actually use the data. Until that changes, third-party monitoring fills a gap that shouldn't exist.