Executive Summary

The U.S. CISA (Cybersecurity and Infrastructure Security Agency) is under scrutiny from the security community for a procedural issue that significantly impacts defensive prioritization. It has been revealed that during 2025, CISA updated 59 vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog to add a flag indicating they were being used by ransomware groups. However, these critical updates were made silently, with no accompanying alerts, notifications, or changes to the vulnerability's 'date added' field. Security researchers, including Glenn Thorpe of GreyNoise, argue that this lack of notification deprives organizations of crucial, time-sensitive intelligence that would help them elevate the priority of patching these specific flaws.

Regulatory Details

The CISA KEV catalog is a cornerstone of U.S. federal cybersecurity policy, mandated by Binding Operational Directive (BOD) 22-01. It lists vulnerabilities that have been confirmed as being actively exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within a specified timeframe.

A key data field within the KEV catalog is knownRansomwareUse, which can be set to 'Known', 'Unknown', or 'N/A'. Research shows that when a vulnerability is publicly associated with ransomware, it is patched 2.5 times faster by the broader community. The issue arises when CISA adds a vulnerability to the KEV catalog based on general exploitation evidence (with knownRansomwareUse as 'Unknown') and later obtains intelligence that ransomware actors are using it. The agency then flips the flag to 'Known' but does not generate any notification. This means that organizations relying on KEV updates to drive their patching cadence may miss the critical change in risk posture for that vulnerability.

Affected Organizations

While FCEB agencies are the primary audience for the KEV catalog, it is widely used as an authoritative source for patch prioritization by private sector companies, state and local governments, and international partners. Any organization that uses the KEV catalog as an input for its vulnerability management program is affected by this lack of notification. They may fail to escalate patching for a vulnerability that has just become a prime target for ransomware gangs.

Compliance Requirements

There is no compliance failure on CISA's part, as their current process does not mandate notifications for field changes. However, the criticism centers on the spirit and utility of the KEV catalog. The lack of alerts for a change in the ransomware flag is seen as a failure to provide actionable intelligence effectively. For organizations, this highlights a gap in relying solely on 'newly added' notifications and underscores the need for tools or processes that can detect changes to existing KEV entries.

Impact Assessment

The operational impact is a delay in risk mitigation. When the knownRansomwareUse flag changes to 'Known', it signals a significant escalation in the threat landscape for that specific vulnerability. Ransomware attacks can be financially devastating and highly disruptive. By not alerting defenders to this change, CISA is inadvertently causing organizations to continue treating the vulnerability with a lower priority than it now warrants. This delay provides a wider window of opportunity for ransomware groups to successfully exploit unprepared networks. The fact that one flaw was in the KEV catalog for 1,353 days (over 3.5 years) before its ransomware status was updated silently illustrates the scale of this potential intelligence gap.

Compliance Guidance

Organizations should not rely solely on CISA's notifications for new KEV entries. Instead, they should:

1. Automate KEV Monitoring: Implement scripts or use commercial vulnerability management tools that ingest the KEV catalog JSON file on a daily basis.
2. Track Field Changes: The monitoring process should not just look for new CVE IDs but should also diff the entire dataset against the previous day's version. This will highlight any changes to existing entries, such as the knownRansomwareUse flag.
3. Trigger High-Priority Workflows: When a change in the knownRansomwareUse flag from 'Unknown' to 'Known' is detected, it should automatically trigger a high-priority incident or patching workflow, escalating the remediation of that CVE to the highest urgency level, equivalent to a newly discovered, actively exploited zero-day.