CISA updated 59 KEV entries in 2025 to specify that the vulnerabilities have been exploited in ransomware attacks, a move that GreyNoise’s Glenn Thorpe described as a material change to an organisation’s risk posture, noting there’s no alert or announcement—just a field change in a JSON file. The fastest flip occurred after one day, while the longest time-to-flip surpassed 1,300 days, underscoring how quickly the data can shift in response to new exploitation patterns.
Vulnerabilities in Microsoft products accounted for more than a quarter of the updated KEV entries (16 CVEs), followed by Ivanti (6 CVEs), Fortinet (5 CVEs), Palo Alto Networks (3 CVEs) and Zimbra (3 CVEs). The most common vulnerabilities reported as exploited by ransomware groups were authentication bypass and remote code execution.
Contacted by SecurityWeek, CISA Executive Assistant Director for Cybersecurity Nick Andersen said the agency aims to help defenders prioritise risk by including the ransomware tag in KEV entries, while GreyNoise’s Thorpe has created an RSS feed to alert organisations when a KEV ransomware tag changes.