CISA has been quietly updating its Known Exploited Vulnerabilities (KEV) catalog to reflect ransomware activity, with GreyNoise’s analysis identifying 59 vulnerabilities that switched to a “Known” ransomware status at some point in 2025. According to GreyNoise, the flips involved 16 entries for Microsoft, six for Ivanti, five for Fortinet, three for Palo Alto Networks and three for Zimbra, and the KEV entry for network edge devices accounted for 19 of the CVEs.
In one example, CVE-2025-61882, a critical flaw in Oracle E-Business Suite, had its ransomware status updated the day after it was added to the catalog on 6 October 2025. The flips are typically not publicly announced, prompting researchers to warn that organisations may deprioritise KEV entries that had not previously shown exploitation. Thorpe argues that these silent changes distort risk prioritisation, since ransomware activity can evolve after a vulnerability is first catalogued.
The article notes that, since 2024, only seven CVEs were added with the ransomware flag initially, while 88 were flipped later, highlighting the need for defenders to monitor the delta rather than rely on headlines.