The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates

In 2025, significant shifts occurred within CISA's Known Exploited Vulnerabilities (KEV) catalog, where 59 entries were silently updated to indicate known ransomware exploitation. This trend highlights a critical gap in visibility regarding vulnerability-driven ransomware campaigns. GreyNoise has identified these changes to emphasize the importance of tracking vulnerability status relative to ransomware activity. The lack of explicit notification suggests attackers are leveraging existing vulnerabilities extensively for ransomware deployment. Organizations must prioritize patching KEV-listed vulnerabilities immediately to mitigate risk. Enhanced monitoring and threat intelligence feeds are necessary to detect these silent shifts. While specific malware families are not detailed in this brief, the volume of affected entries indicates a high-severity threat landscape requiring immediate defensive action and robust vulnerability management processes to prevent compromise.

In 2025, 59 KEV entries silently flipped to “known ransomware use.” GreyNoise uncovers the hidden flips, why they matter, and a new feed to track them.

In 2025, significant shifts occurred within CISA's Known Exploited Vulnerabilities (KEV) catalog, where 59 entries were silently updated to indicate known ransomware exploitation. This trend highlights a critical gap in visibility regarding vulnerability-driven ransomware campaigns. GreyNoise has identified these changes to emphasize the importance of tracking vulnerability status relative to ransomware activity. The lack of explicit notification suggests attackers are leveraging existing vulnerabilities extensively for ransomware deployment. Organizations must prioritize patching KEV-listed vulnerabilities immediately to mitigate risk. Enhanced monitoring and threat intelligence feeds are necessary to detect these silent shifts. While specific malware families are not detailed in this brief, the volume of affected entries indicates a high-severity threat landscape requiring immediate defensive action and robust vulnerability management processes to prevent compromise. In 2025, 59 KEV entries silently flipped to “known ransomware use.” GreyNoise uncovers the hidden flips, why they matter, and a new feed to track them. In 2025, 59 KEV entries silently flipped to “known ransomware use.” GreyNoise uncovers the hidden flips, why they matter, and a new feed to track them.